Skip to main content

What is a Whaling Attack?

In today's age of digitalization, cybercrimes and cyber-attacks are frequently evolving and whaling is currently one of the major ones out there. Whaling is a cybercrime and a type of phishing attack that can cause financial as well as data losses to any company.

Whaling is a serious threat and can cause serious damage to an organization. With each passing day, phishing attackers are innovating their methods and their victim companies are paying heavily. Don't believe us? Ask Snapchat, an American social media giant who fell victim to a whaling attack in 2016. An HR representative in the organization sent over payroll data that revealed the personal information, financial status, and even stock options data of several employees to a whaling attacker. Barely a month later, a finance head at Mattel wired three million dollars to a Chinese bank after getting email instructions from "the new CEO".

These are not the only scams that have happened through whaling and nor are they the biggest ones. Whaling and phishing attacks cause companies all over the world tens of millions of dollars every year and in the worst-case scenario, the company can even lose its consumer confidence as a result of being so easily compromised, especially in the case of financial and security institutions.

In this article, we will discuss the concept of whaling in detail. We will learn what the actual process of whaling includes and how the scam works. Later we will talk about defensive measures that can be taken by companies to protect themselves against these threats. If you are an employee, a manager, a businessman, a director, or even a CEO, this article is a must-read. Because cybercrimes are a threat to all levels of the workforce in all industries and organizations.

What does Whaling Attack Mean?

Whaling is a specialized type of "Phishing attack". A Phishing attack is a cyber security attack that tries to trick its targets into disclosing sensitive and valuable information such as users' login credentials, credit cards or bank account information, company data, and anything that could potentially be of value.

Whaling Attacks are also called CEO fraud because, in a whaling attack, the target for the phishing attack is a senior player or an important figure of an organization. These targets can be directors, CEOs, CFOs or Finance managers, etc. The purpose is to target "big fishes" (hence calling them whales) and steal money or sensitive information by gaining access to their computer systems for criminal purposes. It relies on the cyber-criminal pretending to be a senior member of the organization to gain the trust of the intended targets. Using the email or phone numbers of such notable names adds a degree of social engineering to the mix, as employees are hesitant to decline a request from someone senior or influential. Once trust is gained, the attacker can try to access sensitive areas of the network, passwords, or other user account information.

How do Whaling Attacks work?

Whaling attacks are carried out in a way very similar to phishing, but in these attacks, the attacker needs to be a lot more prepared. In other words, whaling attacks demand a lot more planning and research than standard phishing attacks. This is because, to impersonate a high-value individual, the attacker needs to take time to learn about his target and how to act, sound, and behave like him. They need all the information they can get so that they know exactly how to approach a victim impersonating as the target, and figure out what kinds of information they can extract from him. This research is mostly done through social media and public profiles of the target individual. This is why it is really important to put privacy restrictions on your social media accounts.

After collecting sufficient information, the hacker can either make an email address similar to that of the target. Or they can look for a way into the company network to access the target's email account. They can use different malware and tools to infiltrate the network. Using the target's own email is better because an email coming from the CEO's account would be much more effective and believable than from a fake account. The research also helps the attacker construct the email with much better and relevant details to make it sound more genuine as if it is coming from a trusted source.

The Emails can be of different kinds, some may simply ask the victim for a simple single request like sharing a document or a password. Others can include links or attachments that can infect the victim's system with malware.

The attacker might not ask for the action directly. To gain the trust of the victim, the whaler may first talk to them about something the target and the victim may have in common. For example, the whaler may find pictures of an office party on social media and message the victim, "Hey Tim, how did you enjoy the office party week?", or "Hello Tim, I had a great time at the party last week, hope you had fun", etc. Such emails help the attacker persuade the victim that he is an authentic and trustworthy party the victim is familiar with. After which he can ask the victim for information such as, "Hey can you send me the payroll for last month real quick, I'm on my way to a meeting" or, "Hey, please send me my account credentials, I forgot my password" etc.

The whole process of Whaling can usually take much more time than a normal phishing attack. The longer the attacker interacts with the victim, the better he can establish genuine trust between them. Attacking too quickly can lead to suspicion from the victim, but if the attacker takes his time and makes the victim trust him, he may be able to extract any sensitive information with ease.

What is Whaling in Cyber Security?

Cyber security is described of the practice that entails defending the data of computers systems, servers, mobile devices, networks, and other digital or electronic devices from malicious attacks. It's also referred to as electronic information or IT security. In today's world, where everything seems to be connected to the internet one way or another, cybersecurity is getting more and more important. It defends the organization against all online threats and protects all categories of data from theft and damage.

Phishing and Whaling Diffrence

Figure 1. Phishing and Whaling Diffrence

In the terms of cyber security, Whaling is a highly specific and targeted phishing attack. It is aimed at high profile individuals of a company, who impersonate the individual to create a fake email that can pass as a legitimate email and email victims to extract money, data, or sensitive information. Whaling is a digital fraud through social engineering, which targets victims to achieve a secondary action, such as initiating a wire transfer of funds or extracting sensitive information.

How to Prevent Whale Attacks?

Whaling attacks are simple in nature but very dangerous. They can cause the company a lot of damage to their privacy, finances, and even their reputation. Since whaling attacks are getting better and more innovative day by day, it is increasingly important for companies to stay alert and take measures to ensure that they don't fall prey to such scams. Here are a few tips to save yourself from whaling attacks.

  • Use Multi-step authentication for an email to avoid accounts becoming compromised. Establish a verification process for transferring funds, such as face-to-face meeting verification or verification through calls or video calls etc.
  • Educate the high-profile professionals and executives of the company to use caution when posting on social media and use privacy restrictions to protect their information.
  • Utilize an email filtering system. Anti-whaling software or security companies can also provide services to flag inbound emails sent from suspicious or external sources. Anti-whaling software often checks the IP addresses of the Email sources and analyses the links or attachments in an email for potentially harmful files.
  • Educate yourself as well as other employees about the threats of phishing, whaling and other cyberattacks. The more the employees are aware of such threats, the less likely will the chances be of an enterprise falling victim to a whaling attack. The company should educate them as well as use mock whaling attacks against employees to teach them how easy it is to be tricked.

What are the Methods of Protection from Whale Attack?

Organizations can take a number of measures that can help lower, if not completely remove the chances of whaling attacks. They can follow the best practices used for online cyber security as well as harden their own defenses and educate potential whaling targets by implementing some whaling-specific best practices as well.

Details of some key defensive measures a company can employ, as discussed above, are as follows:

1. Multi-Step Verification

When it comes to internet scams, two heads are always better than one. Multistep verification means having multiple people handle various steps of a process. Companies can proceed to establish a thorough multi-step verification process for internal and external requests for sensitive data or wire transfers. For example, a company can have one person prepare payment documents, another person approves them, and a third finalize and discharge the payment. Not only will this help get a second opinion on the transaction but also provide multiple layers of authentication which would be much harder to break through.

Another layer of protection can be having a compulsory face-to-face meeting or a phone call when handling sensitive data or large transactions, instead of simply carrying it out electronically.

Cybercriminals are now much smarter and a lot more sophisticated in their plans, and many choose to attack their targets when they are most vulnerable or unalert, for example, it can be during some business traveling or during a weekend or a long tiring day at the office. Hence verification of any urgent emails requesting significant actions should always be verified by senior management. Hence, the company should encourage its employees on all levels to verify the authenticity of suspicious requests. They can verify such requests through secondary communication channels like calling the sender in person or sending them a text to confirm the request.

2. Social Media Education

Another way companies can protect their employees against whaling schemes is by educating them on the use of personal social media. As we have already explained, attackers can use social media as a treasure chest of personal information of the target. Hence, high profile individuals, who are more likely to be targeted in whaling attacks should enable privacy restrictions on their social media accounts. This can reduce the risk of information exposure that can later be used for impersonation and social engineering scams.

Information shared on social media platforms that might include hobbies, holidays, birthdays, job titles, promotions and relationships can all be used by cybercriminals to develop more complex and personalized cyber attacks.

The company can remind executives that during high-publicity events, such as major industry conferences or company events, or even in their daily routine, they should be wary of posting information on public social media accounts. They should keep their accounts private, and avoid posting every detail of their personal and professional life on platforms like Facebook, Instagram, LinkedIn, Twitter, etc. Keeping profiles private helps limit an attacker's ability to find compromising data and use it as leverage.

3. Anti-phishing Tools and Organizations

Companies can employ various tools and services that help defend against phishing attacks. Anti-phishing tools can flag all emails that come from outside of the organization which can help highlight potential scam emails. Whaling often depends on miscreants deceiving key staff and corporations into believing messages are within the organization, such as a C level executive request to transfer money to an account. Highlighting outside emails makes it easier to detect attacker emails that look legitimate on the surface and flagging such emails can warn users that the attacker is not who they claim to be.

Anti-phishing companies also provide services such as URL screening and link validation is also helpful in defending the company's data from phishing attacks. Anti-phishing software intercepts and scans any suspicious or harmful links or possible malware attachments. Such programs block any .exe files and also get rid of any malicious or unwanted spam emails by filtering them into a separate folder.

4. Employee Awareness

An extremely important step in anti-whaling defense for any company is educating its employees about whaling attacks and how to identify and handle such phishing emails.

Key individuals and executives having a high profile are much more susceptible to whaling attacks. Therefore, the company can start by educating them and ensuring they have a suspicious and skeptical mindset when it comes to unusual or unsolicited emails or messages. They should employ a healthy level of caution especially when it relates to highly sensitive data or financial transactions. It's also wise to educate employees in sensitive positions like IT and accounting, who have access to a lot of the company's confidential and sensitive data.

A great initiative can be implementing a phishing awareness training program, that specifically targets senior management and public-facing employees about the whaling emails they could receive. A multi-faceted phishing awareness program will teach key principles to prevent whaling attacks and employees will be trained on how to look out for tell-tale signs of an attack such as fake emails addresses and names.

Employee awareness and caution are perhaps the biggest defense against whaling and phishing attacks. If the employee hasn't specifically requested info about a sensitive file, they should take extra care when responding to an email that mentions that file. Anything that requires urgent and significant actions should be first verified by a third party such as your manager. The employee can hover a mouse pointer over the sender's name to see the real email address. In a web-based email, click the "more information" or "show details" to see the sender's details and email address. The company can carry out mock whaling exercises to test the staff's knowledge and ability in dealing with threats which will allow employees to safely put those skills to the test.

Example of Snapchat Whaling Attack

Let's take a real-world example of a whaling attack that will help us understand the whole process better. Here we will take the example of Snapchat and the two whaling/phishing attacks it fell victim to.

Snapchat is an American instant messaging services giant developed by Snap Inc. Snapchat is a messaging app that lets users exchange pictures and videos on "snaps" that disappear after they're viewed. It's meant as a "new type of camera" as it essentially functions to take pictures or videos, add filters, other effects and share them with friends. Since its release in 2011, Snapchat has gained immense popularity and has currently more than 306 million daily users.

In the February of 2016, an employee from the payroll department of a company emailed personal and fairly sensitive information of about 700 current and past employees to someone who claimed to be Chief Executive Officer, "Evan Spiegel".

This data included employees' tax data, names, Social Security numbers, wages, stock-option gains, and benefits.

Just fifteen minutes after sending the email, the employee realized that the scam email, which appeared to have been sent from the CEO's email address, wasn't legitimate. The employee sent a follow-up email to Spiegel, who said he did not send the email and did not recognize the one received by the employee.

The FBI was also quickly involved in the incident's investigation. The then-current employees were quickly notified and former employees were also made aware of the situation in a couple of days.

Snapchat later made an official notice of the incident and issued a public apology. Snapchat admitted that employee details were accidentally sent to a scammer after a staff member fell for a phishing email. According to an official letter from Snapchat:

Snapchat basically acknowledged that privacy and security are a priority. They also mentioned that they are at a loss and are clearly embarrassed that one of their staff members was duped into becoming a ploy for a phishing attack which led to the release of payroll and employee information. The letter also continued to highlight that Snapchat servers had not been affected and that their user data was safe from the incident. The bad news that was mentioned in the letter was that several Snapchat employees have now had their identity compromised. And for that, the company as a whole was deeply sorry.

Snapchat also continued to add that the company will redouble its already rigorous training programs around privacy and security in the future. The good news, in this case, was that none of their internal systems was breached, and no user information was accessed.

Another incident of phishing occurred on Snapchat in 2017. Towards the end of July 2017, a digital criminal launched a massive phishing attack on Snapchat and deceived more than 55,000 users to voluntarily give up their account usernames and passwords.

The attacker sent the users a link that directs them to a mobile site, designed to replicate the Snapchat login screen. As soon as the users entered their login IDs and passwords on the fake site, these credentials were saved and sent to the attacker.

The company learned of the data breach when a U.K. government official notified Snapchat, that the attack resulted in a publicly available list of thousands of users' credentials, including their login information and passwords on the phishing website

Later on, Snapchat observed that a single device had logged into thousands of accounts and marked it as suspicious, but it was too late since the accounts were already compromised.

Since the attack, Snapchat has encouraged its users to use strong passwords and wants them to enable login verification. This breach of more than fifty-five thousand user credentials was a fairly small chunk of Snapchat's 187 million global users. Nevertheless, it was a significant hit to the company's user security confidence.

Concluding words

Whaling and overall phishing attacks are constantly evolving threats that all organizations face. They can cause a lot of damage to the companies' privacy and reputation as well as massive financial losses. Hence organizations need to keep themselves up to date with protective strategies and teach their employees about these threats. With proper training and preventive measures, we can minimize the chances of falling victim to phishing attacks.