What is a Whaling Attack? Whaling Protection Tips

A whaling cyber-attack is a phishing attack designed to steal data and access a company's computer system. The FBI reports that these types of targeted attacks cost businesses almost $2.5 billion in a recent year after more than 320,000 attempted attacks. Companies lost an average of nearly $100,000.

Whaling is among at least ten ways social engineering can be used for nefarious purposes. Social engineering attacks are designed to persuade individuals within a company to provide access to sensitive data. These approaches work because:

• The appeal includes a sense of urgency that encourages a person or employee of a company to act. If this happens before they consider all of the implications of giving access to a database or other infrastructure, a breach is likely.
• These approaches purposely evoke emotions like a desire to get promoted or noticed by one's supervisor, greed, or fear. 
• The scammers seeking access through social engineering attacks may pose as a leader of a partner company. Such a request for immediate access to a database is potentially intimidating to employees likely to divulge information like passwords.

What is a Whaling Attack?

What type of phishing attack is whaling? In general, phishing attacks are broad, attempting to trap anyone who opens the email. Still, whaling attacks are specific and aim at one high-profile individual within a target company. If successful, a whaling attack can result in a significant payday.

Phishing attacks seek information that will lead to financial gain for the scammer. They usually involve sending urgent-sounding emails requesting immediate help with an emergency. Employees who receive the emails may not stop to consider whether the request is a scam. 

There are many ways that scammers disguise a phishing attack, including:

• By using spoofed email addresses, they may appear to be a supervisor or principal of the company.
• Elaborate attacks may spoof the company's website. By asking employees to click on a link to test a new informational page, they may capture log-in information that provides access to sensitive data and accounts.
• Spoofing a partner company's email, logo, or website, the scammer may request shared data or account information to be transferred.
• They may sound more believable by incorporating information posted on personal social media accounts, like the names of friends and coworkers.
• Researching information about the company and the individual, scammers may replicate the tone and content of important emails to evade suspicion.

Whaling attacks are specifically aimed at a particular high-level individual within a company. Successful whaling attacks are carefully crafted to take advantage of a person's position. The most successful whaling attempts capitalize on a specific day and time of day when work is hectic.

Scammers hope that their messages arrive at peak times when individuals take little time to examine them for authenticity. Examples of whaling attacks include:

• An immediate, urgent request to transfer funds to pay an overlooked invoice that's due immediately.
• An email asking for access to sensitive information because another employee has called out sick.
• A request for review that includes a link. If the executive clicks on the link rather than verifying the email's origins, malware may be launched on the company's network, potentially allowing hackers to steal funds or data.
• A request using a spoofed email that appears to belong to a colleague. This may seek quick access to an account of proprietary data or funding for an ongoing project.

How Does it Work

One of the most important elements of a successful whaling attack is timing. If an executive can be reached during a busy period and the email appears to be authentic, it's more likely to be acted upon than scrutinized.

The appearance of any phishing email is critical: if the language is not fluent, the appearance unprofessional, and the message anything but direct and urgent, it's unlikely to work.

Successful whaling and phishing emails must enact their scheme in one quick click. This action enables capturing log-in credentials, launching malware, or having the ability to accept and quickly hide a deposit of funds or information.

Examples of Whaling Attacks

Top-level executives have been caught in whaling schemes around the world. One Australian hedge fund collapsed after an executive was successfully targeted by a whaling scheme. The tripwire was a Zoom link that allowed scammers to pull about $800,000 from the firm's accounts, but they had aimed for $8.7 million. The damage was more than financial, as the company lost customers after news of the breach became public, so it closed.

American toy maker Mattel was targeted during a period when it was expanding into the Chinese market, and a new executive was settling into his role. Another top-level principal responded to an email request for a $3 million payment to a bank in China and released the funds. When the executive mentioned the transaction to the new executive, an investigation started. Fortunately, the following day was a bank holiday in China, so local authorities froze the account and recovered the money.

Ways to Protect Yourself

Company IT staff should take the lead in preventing all types of phishing attacks. The best approach to avoiding phishing attacks is multi-dimensional, including:

• Add anti-phishing software to company servers. This detects phishing emails by examining email addresses for spoofs and flagging suspicious phrases like requests. Any suspected emails can be handled individually or flagged as potentially dangerous before being routed to an individual.
• Educating employees and company principals will blunt the possibility of a phishing attack. If staff are aware of the potential and reminded of recent attacks at other companies, they will be alert to the possibility and will scrutinize incoming requests.
• Set up a verification process that requires all employees to confirm a request for funds or sensitive data before responding to a suspicious email or text message.

Corporations are on high alert for email schemes, whether traditional phishing or whaling attacks. Still, many make it through the phalanx of email filters, company policies, and common sense. The FBI notes that these people-centered attacks are successful because employees are the weakest link in the system. Repeated training and enforcement of two-party authentication of such requests is the best way to prevent victimization.