Whaling is a type of cyber attack that specifically targets high-ranking executives or important individuals within an organisation. It is a form of spear phishing that is designed to steal sensitive information or gain unauthorised access to corporate networks. In this blog, we will discuss what whaling is, how it works, and what employees can do to protect themselves and their organisations from this type of cyber attack.
What is Whaling?
Whaling, also known as CEO fraud or business email compromise, is a targeted attack that uses social engineering techniques to deceive high-level executives into giving away sensitive information or making unauthorised transactions. Whaling attacks are usually carried out through email, where cybercriminals create emails that impersonate a trusted source such as a CEO or CFO. The emails often contain urgent requests for wire transfers or instructions that require immediate action, such as transferring funds or sharing sensitive data.
How Does Whaling Work?
Whaling attacks are highly targeted and require a lot of research on the part of the hackers. They often use publicly available information, such as social media profiles, to gather information about their targets. They may also use phishing emails to gather login credentials or other sensitive information that can be used to gain access to corporate networks.
Once the hackers have gathered enough information, they will create a convincing email that looks like it is coming from the CEO or other high-level executive. The email will often contain urgent requests or instructions that require immediate action, such as transferring funds or sharing sensitive data. The email will typically include a sense of urgency, such as a request for confidentiality or a deadline, to pressure the recipient into complying with the request.
Why is Whaling Effective?
Whaling is an effective cyber attack technique for several reasons. Here are some key factors that contribute to its effectiveness:
- Targeting high-value individuals: Whaling specifically targets high-ranking executives or individuals with access to sensitive information and financial resources within an organisation. These individuals often have the authority to approve financial transactions or access confidential data, making them attractive targets for cybercriminals. By focusing on individuals with such privileges, attackers increase their chances of successfully breaching the organisation’s security defences.
- Social engineering techniques: Whaling attacks employ sophisticated social engineering techniques to deceive their targets. Attackers invest time and effort in gathering detailed information about their victims, such as their roles, responsibilities, and personal preferences. They may study social media profiles, corporate websites, or news articles to create personalized and convincing phishing emails. By tailoring their messages to appear legitimate and urgent, attackers can manipulate the target’s emotions and decision-making processes, increasing the likelihood of successful exploitation.
- Exploiting trust and authority: Whaling attacks rely on exploiting the trust and authority associated with high-level executives. When an email appears to come from a CEO, CFO, or another top-ranking official, recipients tend to assume the message is legitimate and comply with the requested actions. The perceived authority and urgency in these emails can override normal skepticism, leading individuals to act quickly without thoroughly verifying the authenticity of the communication.
- Limited exposure and scrutiny: Whaling attacks are typically highly targeted, focusing on a select few individuals within an organisation. Unlike mass phishing campaigns, which cast a wider net and may be flagged by spam filters, whaling attacks are designed to fly under the radar. The limited number of targets reduces the chances of detection and increases the probability of success. Additionally, high-level executives may receive fewer security awareness training sessions compared to other employees, making them more vulnerable to such attacks.
- Financial impact and potential for large-scale damage: Whaling attacks often aim to extract substantial financial gains or sensitive corporate information. Successful attacks can result in significant financial losses for organisations, damage their reputation, and compromise their competitive advantage. By targeting executives with financial decision-making authority, attackers can exploit their access to funds and resources, potentially leading to substantial financial harm.
To mitigate the effectiveness of whaling attacks, organisations should focus on comprehensive security measures. This includes implementing robust email security protocols, conducting regular employee training on identifying and reporting phishing attempts, and maintaining a culture of skepticism and verification when dealing with sensitive requests. By combining technological safeguards with employee awareness and best practices, organizations can significantly reduce the risk of falling victim to whaling attacks.
Examples of Whaling Attacks
There have been several high-case examples of real-life attacks that inflicted significant harm on corporations:
In February 2016, Snapchat experienced a whaling phishing attack. An individual posing as CEO Evan Spiegel sent an email to an HR employee, requesting payroll data for both current and former employees, including stock options and W-2s.
- Ubiquiti Networks
In 2015, Ubiquiti Networks fell victim to a sophisticated CEO scam. Fraudsters successfully convinced the finance department of one of its Hong Kong-based subsidiaries to transfer $46.7 million to unrelated overseas accounts. Although the company managed to recover $14.9 million, the damage to its reputation was irreversible.
In 2008, the FBI subpoena whaling campaign emerged as one of the earliest documented instances of whaling attacks. Approximately 20,000 CEOs were targeted, with 2,000 falling victim to the scam by clicking on a malicious link. The link was disguised as a secure browser add-on but instead installed a keylogger, capturing their credentials and passwords.
Another notable attack that shook the corporate world occurred in 2016, targeting FACC, an Austrian aerospace manufacturer renowned for its production of parts for Airbus and Boeing. This incident involved classic CEO impersonation, resulting in the transfer of $55.8 million to undisclosed overseas accounts. Several employees, including the CEO and CFO, were subsequently terminated.
- Levitas Capital
Levitas Capital, an Australian hedge fund, fell victim to an extensive whaling attack facilitated through a malicious Zoom link. Despite recovering most of the funds, the company decided to cease operations due to the severe damage to its reputation.
What Can Employees Do to Protect Themselves From Whaling?
As with any type of phishing attack, the best way to protect yourself from whaling is to be aware of the threat and to be vigilant when it comes to emails that ask for sensitive information or require immediate action. Here are some tips that employees can use to protect themselves from whaling attacks:
- Verify requests: If you receive an email that requests sensitive information or asks you to take urgent action, always verify the request with the supposed sender using a different method of communication, such as a phone call or in-person conversation.
- Be cautious with links and attachments: Do not click on links or open attachments in emails that you are not expecting or that come from unfamiliar sources. Even if the email looks legitimate, it could be a phishing attempt which installs malware.
- Check email addresses: Look closely at the email address of the sender. Whaling attacks often use email addresses that are similar to the real email address of the sender, but with slight variations, such as adding an extra letter or number.
- Use two-factor authentication: Two-factor authentication can help prevent unauthorised access to corporate networks by requiring a second form of authentication, such as a code sent to your phone, in addition to your password.
- Stay informed: Stay up-to-date on the latest phishing tactics and scams. This can help you recognise and avoid phishing attempts, including whaling attacks.
Whaling emails are a serious threat that can result in significant financial losses and damage to an organisation’s reputation. By being aware of the threat and taking steps to protect themselves, employees can help prevent whaling attacks and keep their organisations safe. Remember to always be cautious with emails that request sensitive information or require immediate action, and to verify requests with the supposed sender using a different method of communication. Stay informed and stay safe!