I've heard of a phishing attack and understand its implications, but lately I've been hearing more and more about...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
whaling attacks. What is a whaling attack and are there specific actions an enterprise should take to defend against it?
Whaling attacks are a sub-type of phishing attacks. According to the official WhatIs.com definition, "whaling is a type of fraud that targets high-profile end users such as C-level corporate executives, politicians and celebrities." Think of it like spear phishing against high-value, high-profile targets. Famous individuals including Paris Hilton were whaling victims before the term came to fruition. "Whales" are at increased risk due to the public nature of their personalities and lifestyles. Because there are additional risks to going after these targets, their service providers might also be targeted to get access to their clients' personal information.
If someone were to use pretexting to socially engineer a password reset for Paris Hilton's smartphone, the phisher could easily gain access again to whatever sensitive data she had saved on the device. Companies targeting whales as customers may want to keep these types of attacks in mind so they are not used to attack the whale itself.
While standard enterprise protections against phishing should already be in place in your enterprise, you may wish to target them toward your high-profile end users specifically. These individuals typically have the least amount of time available to attend security awareness training, so only include applicable targeted antiphishing security controls in your trainings. In an enterprise environment, additional controls may be helpful, such as:
- Limiting where an account can be used. This could potentially prevent a phisher from using the account even if credentials were phished.
- Reviewing all uses of the whale's accounts. Doing so won't stop an attack, but could help detect an attack and therefore prevent widespread access to the account.
- Sending the person's emails to a trusted assistant. While this wouldn't necessarily prevent an attack, it could help identify phishing emails, as the assistant could alert the whale that he or she shouldn't click on the link, or just delete the email.
Ask the Expert!
Want to ask Nick Lewis a question about enterprise threats? Submit your question now via email! (All questions are anonymous.)
Dig Deeper on Email and Messaging Threats (spam, phishing, instant messaging)
Related Q&A from Nick Lewis
An HTTPS session with a reused nonce is vulnerable to the Forbidden attack. Expert Nick Lewis explains how the attack works, and how to properly ...continue reading
The Irongate malware has been discovered to have similar functionality to Stuxnet. Expert Nick Lewis explains how enterprises can protect their ICS ...continue reading
APT groups have been continuously exploiting a flaw in Microsoft Office, despite it having been patched. Expert Nick Lewis explains how these attacks...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.