A whaling attack, also known as whaling phishing or a whaling phishing attack, is a specific type of phishing attack that targets high-profile employees, such as the chief executive officer or chief financial officer, in order to steal sensitive information from a company. In many whaling phishing attacks, the attacker's goal is to manipulate the victim into authorizing high-value wire transfers to the attacker.
The term whaling stems from the size of the attacks, and the whales are thought to be picked based on their authority within the company.
Due to their highly targeted nature, whaling attacks are often more difficult to detect and prevent than standard phishing attacks. In the enterprise, security administrators can help reduce the effectiveness of whaling attacks by encouraging corporate management staff to undergo information security awareness training.
The goal of a whaling attack is to trick an individual into disclosing personal or corporate information through social engineering, email spoofing and content spoofing efforts. For example, the attackers may send the victim an email that appears to be from a trusted source; some whaling campaigns include a customized malicious website that has been created especially for the attack.
Whaling attack emails and websites are highly customized and personalized, and they often incorporate the target's name, job title or other relevant information gleaned from a variety of sources. This level of personalization makes it difficult to detect a whaling attack.
Whaling attacks often depend on social engineering techniques, as attackers will send hyperlinks or attachments to infect their victims with malware or to solicit sensitive information. By targeting high-value victims, especially chief executive officers (CEOs) and other corporate officers, attackers may also induce them to approve fraudulent wire transfers using business email compromise (BEC) techniques. In some cases, the attacker impersonates the CEO or other corporate officers to convince employees to carry out financial transfers.
These cyber attacks can fool victims because attackers are willing to spend more time and effort constructing them due to their potentially high returns. Attackers will often use social media, such as Facebook, Twitter and LinkedIn, to gather personal information about their victim to make the whaling phishing attack more plausible.
Defending against whaling attacks involves a mix of employee security awareness, data detection policy and infrastructure. Some best practices for preventing whaling include the following:
Phishing attacks, whaling phishing attacks and spear phishing attacks are often confused. All are online attacks targeting users to gain sensitive information or to social engineer the victim into taking some harmful action.
A whaling attack is a special form of spear phishing that targets specific high-ranking victims within a company. Spear phishing attacks can target any specific individual. Both types of attack generally require more time and effort on the part of the attacker than ordinary phishing attacks.
Phishing is a broader term that covers any type of attack that tries to fool a victim into taking some action, including sharing sensitive information, such as usernames, passwords and financial records for malicious purposes; installing malware; or completing a fraudulent financial payment or wire transfer.
While ordinary phishing email attacks usually involve sending emails to a large number of individuals without knowing how many will be successful, whaling email attacks usually target one specific individual at a time -- typically a high-ranking individual -- with highly personalized information.
One notable whaling attack occurred in 2016 when a high-ranking employee at Snapchat received an email from an attacker pretending to be the CEO. The employee was tricked into giving the attacker employee payroll information; ultimately, the Federal Bureau of Investigation (FBI) looked into the attack.
Another whaling attack from 2016 involved a Seagate employee who unknowingly emailed the income tax data of several current and former company employees to an unauthorized third party. After reporting the phishing scam to the Internal Revenue Service (IRS) and the FBI, it was announced that thousands of people's personal data was exposed in that attack.
A third notable example of whaling occurred in 2018 when the European cinema company Pathé was attacked and lost $21.5 million in the wake of the attack. The attackers, posing as high-ranking employees, emailed the CEO and chief financial officer (CFO) with a fraudulent request for a highly confidential financial transaction. Despite red flags, the CEO and CFO transferred roughly $800,000 to the attackers, which was only the beginning of the company's losses from the incident.
HP has predicted that 2021 will likely see an increase in whaling attacks, along with other cybersecurity threats, such as ransomware, phishing emails and thread hijacking. The massive shift to remote work in response to the COVID-19 pandemic is, in part, responsible for exposing organizations to new vulnerabilities, HP said.
26 Jan 2021