Get started Bring yourself up to speed with our introductory content.

Whaling attacks: Taking phishing attacks to the next level

Whaling attacks take phishing to the next level with much bigger targets. Enterprise threats expert Nick Lewis explains how to mitigate the risk.

I've heard of a phishing attack and understand its implications, but lately I've been hearing more and more about whaling attacks. What is a whaling attack and are there specific actions an enterprise should take to defend against it?

Whaling attacks are a sub-type of phishing attacks. According to the official definition, "whaling is a type of fraud that targets high-profile end users such as C-level corporate executives, politicians and celebrities." Think of it like spear phishing against high-value, high-profile targets. Famous individuals including Paris Hilton were whaling victims before the term came to fruition. "Whales" are at increased risk due to the public nature of their personalities and lifestyles. Because there are additional risks to going after these targets, their service providers might also be targeted to get access to their clients' personal information.

If someone were to use pretexting to socially engineer a password reset for Paris Hilton's smartphone, the phisher could easily gain access again to whatever sensitive data she had saved on the device. Companies targeting whales as customers may want to keep these types of attacks in mind so they are not used to attack the whale itself.

While standard enterprise protections against phishing should already be in place in your enterprise, you may wish to target them toward your high-profile end users specifically. These individuals typically have the least amount of time available to attend security awareness training, so only include applicable targeted antiphishing security controls in your trainings. In an enterprise environment, additional controls may be helpful, such as:

  • Limiting where an account can be used. This could potentially prevent a phisher from using the account even if credentials were phished.
  • Reviewing all uses of the whale's accounts. Doing so won't stop an attack, but could help detect an attack and therefore prevent widespread access to the account.
  • Sending the person's emails to a trusted assistant. While this wouldn't necessarily prevent an attack, it could help identify phishing emails, as the assistant could alert the whale that he or she shouldn't click on the link, or just delete the email.

Ask the Expert!
Want to ask Nick Lewis a question about enterprise threats? Submit your question now via email! (All questions are anonymous.)

This was last published in June 2014

Dig Deeper on Email and Messaging Threats-Information Security Threats