A whaling attack is a type of attack that targets high-profile employees such as the CEO or CFO in order to steal sensitive information from a company, as those that hold higher positions within the company typically have complete access to sensitive data. In many whaling phishing attacks the attacker’s goal is to manipulate the victim into authorizing high-value wire transfers to the attacker.
Whaling VS Phishing:
Whaling attacks can easily be confused with phishing attacks because of their similar natures. Phishing attacks and whaling attacks are both online attacks on users that aim to acquire sensitive information. Phishing is a broader term for any attempt to fool victims into sharing confidential information such as usernames, passwords and financial details for malicious purposes. During typical phishing attacks, cybercriminals will send fraudulent emails to large numbers of victims in the hope that a small percentage will be successful. Conversely, whaling is a special type of phishing that targets a high-ranking individual such as an executive rather than a large group of victims. Whaling emails are sent to a single person or small group of targets instead of the mass distribution techniques used in typical phishing attacks and whaling attacks further differ from phishing attacks in the way that they are far more personalized and more closely imitate legitimate emails.
How is the information used?
Once they have all the info they need on the senior manager, they will hack into their account and get a hold of their email or messaging services. Now that they have control of the senior managers account, they can message the people who work under the manager to scam them. If the hacker can’t gain access to the company’s network or accounts, then they may instead attempt impersonation. This tactic involves recreating an email address that’s very similar to the person they want to impersonate, then they begin sending emails to their employees from it.
This method has a higher chance of getting caught up in a spam filter or being blocked altogether if the company operates a whitelist however it can sometimes work for them.
Tips for defending against whaling attacks:
- Educate senior management: Senior management, key staff and financial teams should be educated about the effects of whaling attacks and how to spot them.
- Have private profiles: Executives should have as little personal information on their public profile as possible because details like birthdays, hobbies, friends and addresses can all be used in an attack. The best way to prevent unknown individuals from viewing personal details is to use privacy restrictions.
- Mark external emails: Many whaling emails are intended to look like they come from someone high up within the organization. A good way to spot a potential whaling attack is to flag emails that are sent from outside of the corporate network.
- Establish a verification process: If an employee receives an email requesting funds or information that is not usually transferred via email then the safest option is to verify the request with the stated sender via another channel before transferring any sensitive data.
- Implement data protection: Solutions like data loss prevention provide a critical last line of defence against whaling and other forms of social engineering attacks, preventing the exfiltration of sensitive data even in the event that an employee is tricked into attempting to send it to an attacker.