I've heard of a phishing attack and understand its implications, but lately I've been hearing more and more about...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
whaling attacks. What is a whaling attack and are there specific actions an enterprise should take to defend against it?
Whaling attacks are a sub-type of phishing attacks. According to the official WhatIs.com definition, "whaling is a type of fraud that targets high-profile end users such as C-level corporate executives, politicians and celebrities." Think of it like spear phishing against high-value, high-profile targets. Famous individuals including Paris Hilton were whaling victims before the term came to fruition. "Whales" are at increased risk due to the public nature of their personalities and lifestyles. Because there are additional risks to going after these targets, their service providers might also be targeted to get access to their clients' personal information.
If someone were to use pretexting to socially engineer a password reset for Paris Hilton's smartphone, the phisher could easily gain access again to whatever sensitive data she had saved on the device. Companies targeting whales as customers may want to keep these types of attacks in mind so they are not used to attack the whale itself.
While standard enterprise protections against phishing should already be in place in your enterprise, you may wish to target them toward your high-profile end users specifically. These individuals typically have the least amount of time available to attend security awareness training, so only include applicable targeted antiphishing security controls in your trainings. In an enterprise environment, additional controls may be helpful, such as:
- Limiting where an account can be used. This could potentially prevent a phisher from using the account even if credentials were phished.
- Reviewing all uses of the whale's accounts. Doing so won't stop an attack, but could help detect an attack and therefore prevent widespread access to the account.
- Sending the person's emails to a trusted assistant. While this wouldn't necessarily prevent an attack, it could help identify phishing emails, as the assistant could alert the whale that he or she shouldn't click on the link, or just delete the email.
Ask the Expert!
Want to ask Nick Lewis a question about enterprise threats? Submit your question now via email! (All questions are anonymous.)
Dig Deeper on Email and Messaging Threats-Information Security Threats
Related Q&A from Nick Lewis
The Fruitfly Mac malware has decades-old code, but has been conducting surveillance attacks for over two years without detection. Expert Nick Lewis ...continue reading
A Gmail phishing attack brought users to fake login pages designed to look like Google's. Expert Nick Lewis explains how users can prevent similar ...continue reading
A HummingBad malware variant, HummingWhale, was discovered being spread through 20 apps on the Google Play Store. Expert Nick Lewis explains the ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.