What is a Whaling Attack? (Whaling Phishing)

Bart Lenaerts-Bergmans - November 2, 2023

Whaling Attack Definition

A whaling attack, also referred to as a whaling phishing attack, is a type of social engineering attack specifically targeting senior or C-level executive employees with the purpose of stealing money or information, or gaining access to the person’s computer in order to execute further cyberattacks. Whaling attacks are able to deliver high returns because the attack disguises themselves behind a trusted name or group, like another senior level employee in the organization, that could trick the individual to taking the desired action.

All social engineering attacks are based on deception. A target is persuaded to take an action, such as clicking on a bad link. While phishing attacks are non-specific and spear-phishing attacks are aimed at a certain demographic, company, or industry, whaling attacks use highly targeted business email compromise (BEC) techniques to perform each unique attack.

Learn More

The difference between phishing and spear phishing is on the scale of personalization. Differences between Spear Phishing and Phishing

How Does a Whaling Attack Work?

Whaling attacks succeed in fooling sophisticated people because they are based on a significant amount of research. For example, a CEO may receive an email that appears to be from his CFO, whom he knows is on vacation. The email may say something like, “About to board plane, urgent need to pay Vendor X or critical shipment will be delayed. Can you send a wire transfer of $2M to the following account number…”

The CEO knows the CFO is traveling. The CEO knows the vendor is legitimate. The writing style matches the CFO’s writing style. The email address looks correct. How did all this happen?

Scammers use multiple techniques, including social engineering, email spoofing, and content spoofing, to craft convincing whaling emails. They research the person they are impersonating, as well as the person they are trying to deceive, by exploring social media and other open sources of data. They may use a phishing attack as a preliminary stage, gaining access to a lower-level employee’s computer in order to leapfrog into HR records and see when key company players are scheduled for time off, or they may eavesdrop on specific email inboxes to learn personal details they can use to create a believable message. They may even engage in physical social engineering, such as by hanging out at a coffee shop known to be popular with a targeted company’s employees.

How to Recognize a Whaling Email

While companies have become much better at requiring security awareness training, C-level personnel are less likely to comply with such a program. That may be because they have gatekeepers who decide for them that they won’t need the training, because the training is inconvenient for them, or because the training designed for the average employee is not relevant to the needs of an executive.

And no matter how rigorous your anti-whaling efforts may be, there is always a chance that one whaling email will slip through your defenses. The only way to protect the enterprise from scams that land in an executive’s inbox is to harden the target by providing executives with security awareness training that is relevant to their positions.

Even if senior employees are already aware of the threat of business email compromise, they need to understand that whaling emails are far more sophisticated than phishing or spear phishing emails, and that even the most cautious person may be fooled. Teach them to look for:

  • Content: The first red flag is the nature of the request. If the request is for a wire transfer or the transfer of sensitive data, it requires a closer look
  • Urgency: If the request is time-blocked and suggests that negative consequences will emerge if the deadline is missed, consider it highly suspicious and subject it to a multi-step verification process, such as examination by the security team
  • Domain: The domain should be an exact match for the corporate domain. Look for domains that substitute two “rn” for “m,” “vv” for “w,” etc.

Whaling Attack Targets

All this effort is worthwhile for scammers because the payoffs can be huge. Whaling victims that have made the news include a grain company that lost $17.2 million and a film company that lost $21 million. An airplane part manufacturer lost $54 million and fired its CEO of 17 years.

Other companies report the exfiltration of large amounts of sensitive data. A hard drive manufacturer sent income tax data for several employees and sensitive data belonging to thousands of others to a scammer. It was sued by its own employees. A social media company sent employee payroll information at the request of a scammer impersonating its CEO. Stolen information may be sold on the dark web or leveraged by nation-state actors for political purposes.

The average whaling attack does not yield such dramatic results, but the amounts sought by attackers is rising. The average wire transfer request increased from $48K to $75K in just the last three months of 2020. The industries most targeted by whaling overall in 2020 were financial institutions, webmail, and SaaS.

How to Avoid a Whaling Attack

Because a whaling attack is launched in the same way a phishing attack is launched, many of the same protections that are already in place will help protect an enterprise. These include:

  • Exposing spoofed addresses by stopping email from outside the network if the domain is suspicious – for example, if an email seemingly from Widget.com is actually from Vvidget.com.
  • Implementing data loss prevention (DLP) software that blocks emails in violation of company rules and flags emails based on the age of the domain vs. the age of the alleged sender’s domain, the inclusion of suspicious phrases like ‘wire transfer,’ or other attributes.
  • Setting up whaling prevention practices, such as by institutionalizing a rule that emailed requests for sensitive information or wire transfers over a certain amount must be verified by phone and a second person must sign off on such transactions.
  • Requiring employees to lock down their social media profiles to friends-only in order to prevent scammers from poring over them for useful details.
  • Deliver specialized security awareness training for executives, who have different vulnerabilities and needs than general users.

Expert Tip

Users can’t prevent phishing attacks, but they can protect themselves and help slow the tide by reporting phishing emails when they recognize them. Do your part to be a good internet citizen. Report phishing to: phishing-report@us-cert.gov

GET TO KNOW THE AUTHOR

Bart is Senior Product Marketing Manager of Threat Intelligence at CrowdStrike and holds +20 years of experience in threat monitoring, detection and intelligence. After starting his career as a network security operations analyst at a Belgian financial organization, Bart moved to the US East Coast to join multiple cybersecurity companies including 3Com/Tippingpoint, RSA Security, Symantec, McAfee, Venafi and FireEye-Mandiant, holding both product management, as well as product marketing roles.