In many ways, whaling attacks are the same as spear-phishing attacks. The biggest difference is that these focused attacks are aimed at more influential people at a company, which is where whaling attacks got their name. These attacks are often used by cybercriminals to impersonate or target executives and important figures at organizations.
While a phishing attack may target any random individual, a whaling attack is more focused on catching a “big fish”. Attackers search for influencers like chief executives because these people allow them to gain access to money, sensitive information, and other desirable objectives. Through social engineering tricks and whaling attacks, these cyber criminals get high-level employees to give them personal information or financial data.
What Is a Whaling Attack?
Unlike a typical phishing or spear-phishing attack, whaling attacks generally require a lot more work. The entire goal of the attack is to impersonate a target in order to get information. To impersonate someone, the attacker must take extra time to learn about them, their habits, and other key details.
To carry out this attack, the individual must determine the right way to approach the target. They must identify the kind of information they are looking for as well. Then, they must approach the targeted individual without drawing suspicion.
Normally, an attacker will look at social media sites and publicly available information in order to plan out their scheme. They may also use rootkits or malware to get into the network, so they can send emails from the target’s actual email address. Plus, accessing the network helps attackers get more details, which makes their attack seem genuine.
When comparing whaling vs phishing, the larger attack method stands out. With phishing and whaling attacks, 98% happen through email. Instead of using attachments and links with malware for phishing emails, whaling attacks typically make a reasonable request that appears much less suspicious.
These attacks can be carried out for various goals. In 2015, Ubiquiti Networks disclosed it had transferred $46.7 million to fake vendors because whaling attackers sent a finance worker a fake email from the CEO. While the company initially recovered $8.1 million of its losses, it is still seeking the remaining amount that was stolen.
In the Mattel attack a few years ago, a finance executive was tricked into sending a $3 million offshore payment to China. Fortunately, the money was recovered only a couple of days later. Over the last few years, China has become the global clearance bank for many online criminals.
Snapchat was also the focus of an attack in 2016. At the time, an employee gave Snapchat’s payroll information to a scammer because they received a feigned email from the CEO. Because payroll and human resources (HR) teams have sensitive information, they are common targets of whaling attacks.
A final example of a whaling security attack was found at the Scoular Company. This grain business lost $17.2 million to offshore accounts because attackers professed to be the CEO. They pretended to be acquiring a Chinese company and convinced the corporate controller through details like fake emails from Scoular’s accounting firm.
In all of these attacks, the victim received emails from someone claiming to be an authoritative figure. Instead of questioning the figure, they went ahead and did what they were told to do. Because of this, the companies involved ended up losing a significant amount of money.
What’s the Difference Between Whaling vs Phishing?
Phishing is a type of attack where scammers send out lures to hook users & low-level employees. These lures are intended to get financial data, passwords, and personal information. To lure the victim, the hackers send a realistic-looking email with a malware attachment or a link to a spoof site that is set up to steal their information.
These attacks used to be simply targeted at individuals, but they are now used to target customers as well. Through phishing attacks, hackers can launch a ransomware attack and gain network access to the targeted company. Phishing attacks may involve things like fake purchase orders, email delivery notices, shipping delivery notices, and notices from the company’s IT department.
In a spear-phishing attack, the attack is more targeted. Phishing attacks often entail mass mailings with very little research. In a spear-phishing attack, the attackers use the company’s social media, website, and other industry sources to gather research. Then, they use this research to make the emails personalized for the intended target.
On the other hand, a whaling security attack is essentially a spear-phishing attack, but it focuses on the “whales” of a company. Instead of targeting any employee at the organization, the whaling attack focuses on chief executives and high-level executives with more influence on major business decisions. These attacks may involve tax scams, requesting W-2 forms, or using employee data to file fake tax returns for fraudulent refunds.
Because whaling attacks focus on businesses and are highly targeted, they are a bigger issue for your company than a phishing attack. A whaling attack is more likely to look real, and it often involves millions of dollars in losses.
How to Prevent Whaling Attacks
Whaling attacks can cost companies millions, or even billions, of dollars. To avoid these significant losses, it is important for businesses to learn how to prevent whaling attacks. Through a few key steps, you can make these attacks less likely to occur at your company.
To prevent whaling attacks, you have to start by educating your employees about how to spot them. Teach team members how to identify phishing emails and to question the reality of what is being sent to them. Your employees and executives must think with security in mind and be willing to ask questions about suspicious emails.
For example, educated employees ask questions and check reply-to email addresses when something seems off. If an email demands an urgent or strange request, employees should be trained to call and confirm the email’s contents for added verification.
You can help your employees by automatically setting up your systems to flag emails from outside of the company. By doing this, your employees can instantly tell if an email claiming to be from the CEO is from an outside sender.
To stay protected, your company must have data security and protection policies in place. Your IT department should monitor emails and file activity for suspicious behavior. Additionally, you should put layered cybersecurity in place to keep your business safe from various kinds of phishing and whaling.
Your employees and executive team should also be trained on social media best practices as well. Social platforms like Facebook, Instagram, Twitter, and LinkedIn are the main places where cybercriminals go to get information they can later use in a whaling attack. Employees, especially executives, need to put privacy restrictions in place on their social media accounts to prevent hackers from stealing information for a social engineering attack.
Finally, your company needs to implement a multi-step verification process. When sensitive data or money is transferred internally and externally, there should be automatic protocols in place to verify the legitimacy of each request before it is completed.
You can spot an attack by looking for the following things.
- Spoofed email addresses: The email address will generally be a slightly different version of the real email address. For example, something as unnoticeable as firstname.lastname@example.org may become email@example.com, using a zero in “CEO” instead of the letter O.
- Requests for information or money: Anytime the user gets a request for money or sensitive information, they should automatically call someone and get confirmation about the authenticity of the request.
- Urgent tones: Attackers want you to automatically respond without doing any research because they know their request won’t withstand any scrutiny. Because of this, they often use an urgent or threatening tone when they send a whaling attack message.
Your Company Can Combat Whaling Attacks
While whaling attacks are costly, you don’t have to become a victim. By learning how to spot and prevent whaling attacks, your company can avoid financial losses. A reliable cybersecurity team can help you prevent whaling attacks and other security issues.