A whaling phishing attack is defined as a cyber attack wherein cybercriminals disguise themselves as members of a senior management team or other high-power executives of an establishment to target individuals within the organization, either to siphon off money or access sensitive information for malicious purposes. This article covers the basics of whaling phishing, ways to identify an attack, and lists some best practices to prevent them.
Table of Contents
What Is a Whaling Phishing Attack?
A whaling phishing attack is a cyber attack wherein cybercriminals disguise themselves as members of a senior management team or other high-power executives of an establishment to target individuals within the organization, either to siphon off money or access sensitive information for malicious purposes.Â
Also called CEO fraud, whaling is a specific type of phishing. As with regular phishing attacks, whaling also uses emails, website spoofing, calls, SMSs, and other mediums to trick high-value targets into granting illegitimate access to company infrastructure or funds.Â
The difference between whaling and other types of phishing lies in the specificity of the target. While phishing targets an extensive list of random individuals and spear phishing targets individuals chosen for a particular reason, whaling moves one step ahead. It targets very specific individuals and crafts fraudulent communication so that it appears as if it is being sent from a senior or otherwise influential person within the target’s organization.Â
In colloquial lingo, whaling phishing targets ‘whales’, i.e., ‘big phish’ within a company, such as finance heads, vice presidents, CEOs, and the like. Whaling mixes a nuanced ‘authoritative’ element into the already existing social engineering cocktail that is phishing—a whaling attack is often successful because the lower-ranked staff is reluctant to refuse or even cross-question a request that appears to have come from an important authority in their organization.
Cybercriminals make whaling attacks more ‘believable’ by gathering information from their targets’ social media profiles to ensure the email or communication being crafted to execute the attack is maximally effective. A simple example of this would be an email that is framed to look like it is from a senior manager and references a fact that is available online and the attacker happened to spot—such as social media photographs of an office Christmas party. The email would then contain a line that says, “Hi Bob, it’s Phil again. Last night was a blast, wasn’t it? Did you enjoy the shrimp appetizers?â€
To add another layer of nuance to whaling emails, cybercriminals also use an email address that appears to be from within the organization. Unlike regular phishing emails, which may sometimes be intentionally low-effort to filter ‘smart’ recipients, whaling is almost always ‘high-effort’ in nature.Â
The communication is formatted with proper corporate logos, signatures, and links to fraudulent websites that have been designed to appear legitimate. Whales tend to have a high level of trust in the authenticity of the communications they receive (after all, who’d have the audacity to contact a C-suite officer under false pretenses, right?).Â
This aspect, combined with high levels of internal access that almost all whales enjoy within an organization, makes whaling attacks particularly worth the effort. Thus, cybercriminals put a lot of extra work into making their illegitimate endeavor come across as highly believable.
Also Read: What Is Phishing? Definition, Types, and Prevention Best Practices
6 Best Ways to Identify Whaling Phishing
Unlike other forms of cybercrime, such as hacking attacks, it is not possible to completely prevent employees from being targeted by whaling phishing attacks. The reason for this is simple: these attacks are executed over commonly used mediums such as emails, calls, and SMSs, which can be sent by anybody who has the correct contact details. In addition, implementing strong filters for these mediums can lead to important communication being missed, especially at higher management levels.
Any sufficiently sophisticated whaling attack will be very difficult to identify. However, organizations can take some steps to minimize the probability of these attacks being successful.
Ways to Identify a Whaling Phishing Attack
1. Flag external emails
As a rule, whaling phishing emails come from outside the organizational email network. They may be designed to look as genuine as possible, but it can be difficult for novice crooks to make an external email appear like it’s from an internal sender.Â
As such, one of the simplest ways to highlight potential whaling attacks is to set organizational email filters to simply ‘flag’ emails that have not been sent from within the corporate network without actually blocking them (to remove the possibility of important communication from external senders being missed).
2. Crosscheck sensitive requests
Any large payment is almost always going to be discussed beforehand. Therefore, if you receive an email requesting that you authorize the transfer of a large sum of money, and it has not been discussed before, something has got to be amiss.Â
Whether it’s this type of communication or an email from the network admin asking you to enter your password for some vague reason, it’s always a good idea to just pick up the phone and cross-verify any unsolicited request before executing it.
3. Identify near-similar email domains
Some cybercriminals create emails with a domain similar to the organization’s, but with a slight difference (as the exact domain name will not be available for sale). Keep an eye out for alterations such as additional letters or numbers, especially on unsolicited or otherwise suspicious emails.Â
For instance, [email protected] and [email protected] almost appear to be the same, but the latter is clearly an impersonator.
Also Read: Whaling vs. Spear Phishing: Key Differences and Similarities
4. Watch out for links in emails
An email with a link that says it will take you to a specific place should not always be trusted blindly, especially if it is unsolicited. Always crosscheck URLs and be wary of the possibility of hyperlinked URLs—hover the cursor over any suspicious link to see where it is actually going to lead.Â
A URL that does not seem to match the context of the SMS or email should not be trusted either. As far as possible, make sure the URL begins with HTTPS. Finally, some whaling phishers hyperlink the entire email so that a single click, whether deliberate or accidental, will open a spoofed web page or download malicious content. In such cases, close the opened web page and notify your IT team immediately.
5. Confirm source of unsolicited attachments
Has someone sent you a document that you never really requested? Be careful because that’s exactly how whaling phishers can get you to open tainted Word docs or ZIP files. Always ensure that you reach out to the supposed sender over a different communication medium and verify the authenticity of any unsolicited attachments that have been received.Â
Only after confirming the source should you proceed with opening the document and file for further use.
6. Spot spelling, grammar, and writing style issues
Finally, one of the simplest ways to spot a whaling phishing email is poor grammar, incorrect spellings, and a writing style that is off the mark. For instance, if a vice president who usually starts his emails with ‘Hi Tim’ suddenly sends you an email starting with ‘Hello,’ it’s worth a brief investigation using the advice above.Â
Most individuals follow the same styles and wording day in and day out in the communications, so if something seems different, it would be a good idea to verify the origin of the communication before taking the next step.
Also Read: What Is a Spear Phishing Attack Definition, Process, and Prevention Best Practices
Top 7 Best Practices to Prevent Whaling Phishing Attacks in 2021
As the COVID-19 pandemic drove the world to work from home in 2020, cybercriminals took their chance to target renowned international organizations across industries. Many leading global companies such as FireEye, SolarWinds, Intel, Cisco, VMware, Nvidia, and Marriott International have reported being targeted by cybercriminals last year.Â
This was in conclusion of the decade that saw a $3 million whaling phishing attack on Mattel (2015), a payroll data leak through a whaling attack on Snapchat (2016), and multiple whaling phishing attacks that were executed using an email address purportedly from the United States District Court.
With 2021 being similar to 2020 in terms of the prevalence of remote working, here are a few best practices to help senior executives spot and avoid even the most carefully crafted whaling phishing attacks.
Best Practices to Prevent Whaling Phishing Attacks
1. Prioritize awareness regarding whaling
The best defense against whaling attacks is education. By keeping key personnel informed about ways they could be targeted, important staff members are more likely to maintain a healthy suspicion level when contacted without solicitation, especially communication pertaining to the authorization of financial transactions or anything related to sensitive information.
Senior managers, members of the finance team, and other key staff should be trained on how whaling attacks work, how they can be spotted and avoided, and the harm they can inflict if not prevented. Some points to touch upon include unsolicited requests/attachments, spoofed sender names, and disguised URLs. Mock whaling attacks can prove to be immensely useful as a teaching tool.
Of course, the COVID-19 pandemic has been a boon for cybercriminals, especially phishers. Proofpoint, an enterprise security company, alone blocked millions of malicious emails with pandemic-related content in 2020. Even in 2021, cybercriminals continue to exploit the panic around the novel coronavirus, with attacks being themed around more recent events such as vaccine rollouts and stimulus funding.
Operation leaders need to be especially wary of phishing emails with subjects such as ‘FDA Director: Safety Measures for COVID-19′, ‘Corona-related Hospital Visit’, ‘Boston PD Warning!!! COVID Scams’, and ‘COVID-19 Breakout in Accounting’. As the pandemic rages on, concerned C-suite officers and other key personnel may be less likely to see through COVID-19-themed whaling phishing attacks.
2. Make higher management stakeholders
Just because the chief financial officer, for example, has nothing to do with IT doesn’t mean he can get away with disregarding basic digital etiquette. To make all possible targets of whaling phishing attacks ‘stakeholders’ in the quest for robust cybersecurity, these tips would help.
-
- Regardless of position, one should not assume that trainees understand cybersecurity lingo. Use simple terminology when training key staff to prevent them from ‘disconnecting’ during instructions.
- Do not present whaling phishing as a ‘work thing’ or a burden. Instead, help higher managers see value in boosting their cybersecurity standing, whether at home or work.
- Communicate clearly and regularly with all ‘stakeholders’ regarding whaling phishing.
- Regular fake whaling phishing tests will ensure that employees are ready when a real attack occurs.
- Empower all employees across levels. Enable them to reach out to even the CEO, if required, through proper channels. This will be immensely helpful in cases where the whaling phisher pretends to be a high-ranking member of the management team and ‘authorizes’ a big transfer to an otherwise unheard-of recipient.
- Give the higher management team a safe space to make mistakes and learn from them. Again, dummy phishing tests can be very helpful here.
- Last but not least — two heads are always better than one. Change procedures so that two employees have to sign off on payments above a certain value. This gives both employees an additional point of view to clear any existing doubts and can also help minimize the fear of punishment if a leader is annoyed by any refusal or cross-examination because, as outlined above, such fear of authority is one of the main social engineering tactics that attackers rely on when executing whaling phishing attacks.
Also Read: Spear Phishing vs. Phishing: Key Differences and Similarities
3. Encourage private social media profiles
Attackers find information such as hobbies, birthdays, addresses, and friends useful in executing whaling phishing attacks. Therefore, asking key company executives to share minimal personal information on public profiles can help restrict the effectiveness of whaling phishing attacks.Â
Privacy restriction is the simplest and most effective way to prevent potential attackers from collecting and using personal data. High-ranking managers must also be careful about what they post on social media platforms such as Twitter, Facebook, and LinkedIn, lest this information is used in a whaling phishing attack.
4. Create a data privacy culture
Company culture is something that not only defines the organization externally but also guides its operations internally. By promoting data privacy as a core tenet of the company culture from the C-level, whaling phishing attacks and cybercrime, in general, will be spotted more easily and dealt with more effectively.
In addition to training C-suite executives to keep an eye out for typical signs of a whaling phishing attack, such as spoofed ‘From’ addresses & websites, and carrying out mock whaling phishing attacks on key staff, driving effective regulatory compliance is important.Â
As corporations and governments around the world draft, pass, and implement new policies and legislation to keep up with the ever-changing cyber threat paradigm, it is vital for organizations to consider hiring a full-time executive solely to ensure digital hygiene. After all, ensuring proper cybersecurity is a group exercise that begins with the leadership team and ends with every employee within the company.
Corporations that operate all over the globe need to comply with a multitude of varying and often contradictory regulations in different countries. However, whaling phishing attackers can target an executive thousands of miles away. Therefore, a company culture that is consistent across the globe will help ensure that successful whaling phishing attacks are minimized.
Appointing a Chief Privacy Officer (CPO) can help the leadership team inculcate a culture of data privacy and navigate the complicated global regulatory landscape to ensure compliance, both with internal policies and external laws.Â
The role of the CPO is to understand the most recent privacy laws and regulations across the operational landscape of the organization. The CPO can also meet high-ranking representatives of regulatory agencies for guidance around compliance. Contact with regulators can assist in the clear and accurate interpretation and application of privacy regulations throughout the organization.
Additionally, one or more data protection officers (DPOs) can assist the CPO and help monitor regulations and legislation. Daily responsibilities of the DPO can include keeping an eye on compliance with the finer details of industry privacy regulations globally. With dedicated data privacy roles such as CPOs and DPOs from the highest level, the organization’s culture is bound to become more cybersecurity-centric, ultimately reducing the chances of a whaling attack.
5. Combine security awareness and threat intelligence
Corporations often leverage cyber threat intelligence to make training decisions regarding whaling phishing and other cyber attacks. However, the problem arises when training teams rely either solely or largely on threat intelligence for this process. By improving and making cybersecurity training more holistic and putting threat intelligence to its full possible use, organizations must ensure that users understand known whaling threats faced either by the organization or by the industry.Â
Phishing tests that mimic trending threats can be beneficial—it is better for everybody if possible, whaling targets fall for (and hopefully learn from) a dummy test than the real thing. Finally, deliver personalized training to important members of the organization (who are much more likely to be targeted). It prepares them to deal with such attacks and gives them a safe space to make mistakes and ask ‘silly questions’ without any perceived harm to their reputation.
As defenses constantly evolve to tackle dynamic threats, a structured approach is vital to thwart threats that could otherwise wreak unimaginable havoc to businesses. Especially in 2021, where remote work is more common than ever, annual cybersecurity training (or worse, training that is only administered once, during induction) and low-effort awareness programs are simply not going to be sufficient anymore.Â
It is not difficult to imagine the enormity of the damage that execs can cause if they fall victim to a whaling phishing attack and end up accidentally opening a harmful link in an email or sharing sensitive data with a person with malicious intent.
Social engineering is a staple of whaling and one of the most reliable ways to execute a successful whaling phishing attack. Phishing simulations and awareness campaigns can help potential targets reduce the risk of being attacked by training them on digital hygiene and how not to fall prey to the social engineering tactics used by ‘whalers.’ It is worth investing in regular employee education when it comes to cybersecurity—whether it is through email campaigns, more open communication policies, intensive employee awareness sessions, or expert assistance for the IT team.Â
The ultimate goal should be to get employees to think twice before they end up unintentionally sharing sensitive information with the wrong person. After all, organizations that have cybersecurity-aware employees are better positioned to prevent and counter cyber attacks.
6. Outline a comprehensive security plan
Often, the team responsible for security training and awareness is separate from the IT and infosec teams, leading to gaps between what is being taught and the reality within the organization. By ensuring seamless intersection and interaction between all user-related security functions, the risk surface of the company, and consequently, the probability of successful whaling phishing attacks, can be minimized.
To gauge the effectiveness of password training, the management can keep track of metrics such as the number of times participants requested password resets before the training versus afterward. Other statistics, such as tracking the number of violations in data loss prevention parameters, can also help measure the efficacy of data security training sessions.
Establishing a simple form of oversight—such as the metric tracking efforts mentioned above—creates an approach to security that is result-oriented. It demonstrates the impact of user behavior on overall corporate security. It also gives the CISO and infosec teams visibility into the organization’s overall security posture that is actionable and measurable.
7. Implement data protection solutions
Data loss prevention solutions provide the final line of defense against social engineering attacks such as whaling phishing by preventing sensitive data from falling into the wrong hands, even if an employee is somehow tricked into sending it across. The risks presented by spoofed communications can also be minimized by automatically flagging emails received from outside the company network for review.Â
This helps because whaling phishers often rely on tricking key personnel into believing that an email is from within the organization. For instance, a fake request to remit money from the CFO. Dedicated anti-phishing solutions such as link validation and URL screening can also be used. Finally, another simple and effective way to counter whaling phishing attacks is adding a second level of validation for sensitive requests, such as a video or voice call.
Also Read: What Is Email Security? Definition, Benefits, Examples, and Best Practices
Takeaway
Traditional technologies and tools are only so effective in detecting and countering whaling phishing attacks. Especially in 2021, with many major companies having at least a few teams working remotely, increased awareness and unrestricted communication channels are two effective ways to prevent loss to a company’s coffers and damage to its reputation due to well-crafted whaling attacks.
Did this article help you? Tell us on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!