Whaling is a common cyber attack that occurs when an attacker utilizes spear phishing methods to go after a large, high-profile target, such as the c-suite. Malicious actors know that executives and high-level employees (like public spokespersons) can be savvy to the usual roster of spam tactics; they may have received extensive security awareness training because of their public profile, and the security team may have more stringent policies and heftier tools in place to protect them. This leads attackers who try to phish these targets to look beyond the same old tried-and-true tactics to more sophisticated, targeted methods.
Like all phishing attacks, a successful whaling attempt against a high-profile target still relies on compelling the target, usually under the guise of some urgency. Desired outcomes may include coercing the recipient to take an unwanted action and trigger a wire transfer, for example, or to click on a link or open an attachment that installs malware or sends the target to a malicious website impersonating one that's legitimate. The goal: capture sensitive information, like credentials, that give the attacker a master key to a company's intellectual property, customer data, or other information that could be lucrative if sold on black markets.
As a result of the increasing awareness around typical phishing tactics, adversaries are adjusting their approaches by narrowing the scope and tailoring their fraudulent messages with details to convince the email recipient of their veracity and compel them to act. This more focused approach to phishing is commonly called spear phishing. When an attacker decides to spear phish a big, high-profile target, that’s when it becomes whaling.
Common whaling targets, like media spokespersons or C-level executives, by nature have more information about them publicly available for attackers to gather and exploit. Due to their seniority, they may also have greater internal data access than the average employee: More confidential information is available to them via their internal credentials, and in some cases, they might even have some level of administrative privilege. While the pool of potential targets for whaling at one organization might be quite small compared to the overall employee roster, the stakes are much higher.
At their core, the common thread in examples of past successful whaling campaigns aren't too dissimilar from successful phishing campaigns: The messages are seemingly so urgent, so potentially disastrous that the recipient feels compelled to act quickly, putting normal security hygiene practices by the wayside. Scammers writing successful whaling emails know their audience won't be compelled by just a deadline reminder or a stern email from a superior; instead, they’ll prey upon other fears, such as legal action or being the subject of reputational harm.
In one example of a whaling attempt, a number of executives across industries fell for an attack laced with accurate details about them and their businesses, that purported to be from a United States District Court with a subpoena to appear before a grand jury in a civil case. The email included a link to the subpoena, and when recipients clicked the link to view it they were infected with malware instead.
For executives and other likely targets of whaling, the standard advice for prevention and protection from phishing still applies: beware of clicking links or attachments in emails, as phishing attacks of any kind still require the victim to take action to be successful.
Organizations can harden their own defenses and educate potential whaling targets by implementing some whaling-specific best practices as well.
First, be cognizant of the kind of information public-facing employees are sharing about executives. Details that can be easily found online via sites like social media, from birthdays and hometowns to favorite hobbies or sports, can help whaling emails seem more legitimate. Major public events can also lend whaling emails the guise of legitimacy. Remind executives or spokespersons that during these high-publicity times, such as a major industry conference or company event, they'll be in a spotlight in more ways than one, and to be especially wary of their inbox.
Next, foster an organizational email culture of "trust but verify." Encourage employees of all levels to verify the veracity of urgent, unexpected messages through another communication channel—like talking to the sender in person, or calling or texting them—and have executives and senior management lead by example.
Most importantly, implement a phishing awareness training program, with content specifically targeted for senior management and public-facing employees about the whaling emails they could receive. A multi-faceted phishing awareness program will not only teach key principles to prevent whaling attacks, but they'll safely allow employees to put those skills to the test. It's a good idea to run simulated whaling attacks from time to time to keep employee skills sharp at spotting potential phishing campaigns, all within the safety of a training tool environment, with an emphasis on learning, especially from failures.