Whaling attacks use the same tactics as spear-phishing -- attacks specifically targeting one person or group to breach their network, rather than the “wide net” of generic phishing scams. Whaling attacks take this even further by targeting high-level executives or influencers to obtain incredibly valuable data or access.
Whales are, generally, high-profile targets within a company. Think C-level executives, spokespeople, and senior team members. Anyone who has higher than average authority and access within your company.
Whales will also typically have some degree of public profile. The more information about them that is publicly available, the better cyber criminals can craft specific whaling attempts against them. Whaling attempts will trawl social media and other public information for key details to seem like genuine sources with genuine requests.
The reason whales make compelling targets for phishing scams is that they have greater access to internal data and systems than average employees. A scammer landing a whale invests all the additional time and effort, since the potential payoff is far greater.
A CFO might fall for a huge wire transfer of funds, or a senior HR executive could share banking details for the entire company. Those aren’t even hypothetical scenarios. Both of those things happened to real companies in the past 5 years.
Huge companies have been the victims of Whaling scams. In 2016, Snapchat handed over employee payroll information to someone impersonating the company CEO, Evan Spiegel.
European film company Pathé lost over $21 million in 2018, which began when their CFO and CEO responded to a fraudulent request to confidentially transfer $800,000 to the attackers.
As recently as 2020, the co-founder of hedge fund Levitas Capital clicked on a fake Zoom link, and lost $800,000 to a fraudulent invoice scam. The hit to their reputation cost Levitas Capital its biggest client, and the company was forced to close.
Even though they use the same basic game plan as other phishing attempts, whaling scams are even harder to stop. Far more research and planning goes into whaling attacks, as each one is specially crafted with a specific target in mind.
Forbes reported that 60-70% of CFOs have been the victims of successful phishing attempts. Employees who are suffering from overwork or stress are also less resilient when it comes to spotting phishing attempts.
The extra effort is due to how lucrative whaling scams can be for cyber criminals. In addition to accessing huge amounts of sensitive data only available to C-level executives, companies have lost tens of millions of dollars in a single stroke.
Reporting is also a serious issue with whaling attacks, as the longer a successful breach goes unreported, the higher the ceiling on potential damages.
While we’d like to imagine impenetrable firewalls protecting company servers, the fact remains that almost every successful cybersecurity breach is due to human error.
Whaling attacks will attempt to access compromised corporate email addresses, request fraudulent wire transfers, steal login credentials or access confidential company data from senior staff at a company. By impersonating someone that the target knows through using a combination of personal details gleaned from publicly available info and spoofed or compromised email accounts, hackers will try to trick victims into an unforced error.
Here’s the good news. Most whaling attacks can be avoided in the same way as other phishing attacks, even if the attacks themselves are more sophisticated. No matter what form the attempt takes or who the target is, all phishing attacks require the target to take action to cause a successful breach.
Employees at all levels should be careful what information is publicly shared about high-level team members. Similarly, C-level executives should also be wary of what they post publicly to social media. Details like birthdays, hobbies and vacations can add credibility to scammers impersonating personal contacts. Education remains a key pillar in preventing any phishing attempts.
Finally, data protection policies can be a huge help in stopping phishing scams in their tracks. Monitoring where emails come from and any other suspicious network activity can provide an additional safety net against breach attempts. Using confidential, internal messaging platforms and verification systems on any data or financial transfers can also help prevent successful attacks.
As with all phishing attempts, once a breach has occurred the most important thing is damage mitigation. Report the breach internally and to authorities, close off unauthorised access, and change any compromised credentials.
There are some telltale signs of whaling attempts, even if the source of the requests for information seem genuine. Be on the lookout for spoofed email addresses (using “vv” instead of “w” for instance)
Executive team members who undergo phishing training are far less susceptible to all forms of phishing attacks, including whaling. Comprehensive cyber security requires employee training and a culture of data privacy. Having best practices instilled in your C-level executives is crucial, and studies show huge returns on even basic cybersecurity training.
Preventative measures are low-cost and high impact, especially when looking at the worst-case scenarios of whaling attacks. If you’re concerned about phishing scams impacting your business, please don’t hesitate to contact us or request a demo from Phriendly Phishing.