What Is a Whaling Attack? Understanding and Preventing Executive Spear Phishing Attacks

Whaling is a type of phishing attack aimed at high-level executives at an organization. Like other types of phishing emails, whaling utilizes social engineering to write personalized emails to trick executives into a scam.

Victims are high-ranking employees with a significant level of authority or access to a company's resources. These targets are referred to as whales since they’re a ‘big catch’ representing a large payoff to the attacker if successful.

Read on to learn more about how whaling attacks work, why they are so successful, and what to do to prevent these types of attacks from happening within your organization.

Here’s a brief overview of a common whaling attack scenario:

1. A cybercriminal identifies a high-profile target, like a c-suite executive.

2. The attacker does detailed research to learn about the target’s job as well as any financial transactions and sensitive data they oversee.

3. The attacker researches the company and industry to gain insight.

4. Based on their research into the individual and the company, the attacker creates the bait scenario.

5. The criminal spoofs or compromises the email account of a trusted vendor or coworker.

6. While impersonating a trusted source, the criminal uses social engineering tactics and urgency to commit invoice fraud, phish credentials, or share malware.

Unlike other types of email scams, whaling doesn't rely on mass emails to various recipients. Instead, whaling is a spear phishing attack using social engineering tactics to manipulate a specific recipient.

Another example of a whaling attack is if an attacker manages to compromise an executive's email account and starts sending phishing emails to other high-ranking employees within the organization. In this case, the phishing strategy is a blend of whaling and business email compromise (BEC). It is difficult to detect these types of attacks since the email address is authentic, and there's a trusted relationship between employees.

Whaling attacks can succeed when the attacker chooses the right executives to scam, identifies an ideal persona to impersonate, and creates an unsuspicious context between the recipient and sender.

Whaling is a type of phishing attack. They both use social engineering tactics to trick a person into sharing sensitive information or installing malware.

However, phishing is conducted through various methods like phone calls, texts, and emails. It's usually sent to the masses, and it takes less of the attacker's time to prepare and execute. These attempts usually focus on credential phishing to maximize their payoff.

Meanwhile, whaling specifically targets high-level executives. And while whaling attacks commonly use email, other delivery methods are possible.

Whaling is a strategy reserved for attackers targeting businesses and not necessarily low-level individuals. Because it's a highly specific strategy, it can take some time for an attacker to choose a victim, a trusted source to impersonate, and carefully set the bait.

Whaling and spear phishing are both types of phishing attacks. Whaling is a subset of spear phishing, but it specifically targets a ‘big fish’ like an executive.

In both strategies, attackers choose a specific target, research their lives and work to pick a trusted person to impersonate, and then use social engineering to send a phishing email.

Whaling attacks are consistently attempted by attackers. Here are a few examples in recent years:

• Mattel: The toy company almost lost $3 million in a scam blending whaling and CEO fraud. The attackers posed as the company CEO and emailed another high-level executive asking for a wire transfer. The executive fell for the scam. Luckily, a bank holiday prevented the transaction from completing.

• FACC: The Austrian aerospace company lost $61 million in a whaling scam. A finance executive received an email impersonating the CEO, requesting a fund transfer for an acquisition project. The money was transferred to the attackers.

• Seagate: Seagate, a data storage company, suffered a data breach due to whaling. An executive responded to an email requesting the W-2 forms of current and past employees. Almost 10,000 employees had their tax income data exposed.

What steps should organizations take to prevent whaling attacks? Here are a few strategies to implement to minimize the risk of executives falling for whaling attacks:

• Train executives in security awareness. Executives have access to sensitive information and financial resources, making them an attractive target for attackers. IT teams should ensure executives can identify suspicious emails and what to do if they receive them.

• Implement email protocols to identify email spoofing. This can include creating the correct settings for SPF, DKIM, and DMARC.

• Install and update antispam and antivirus software. You want to ensure these applications stay current with the latest release, or you may create an IT vulnerability.

• Use advanced email security solutions with contextual behavioral analysis. Whaling attacks are commonly sent via email, and most email security services can’t detect them since the messages are often plain-text and unsuspicious. Advanced email security can detect unusual requests from impersonated or compromised accounts commonly used in whaling attacks.

Abnormal Security stops whaling and other phishing attacks from successfully reaching your employees' inboxes. Request a demo to see how we do it.