Much like spear phishing (which generally targets an individual), whale phishing is a strategic scam specifically aimed at a high-value, powerful, or prominent target. This style of phishing scam may take more expertise and research on the part of the cybercriminal, making it all the more difficult to catch and defend against.
What Is a Whaling Attack?
A whaling attack occurs when a predetermined, high-value individual, is selected and targeted for sensitive information. Hackers might create a believable facade by closely mimicking branding, logos, style, emails, websites, or other communication pathways. Through this facade, hackers may impersonate a credible source, requesting sensitive information from the “whale” (the target) with spoofed emails. The impersonation might ask for a wire transfer to an unauthorized third party, or gain access to sensitive information like company resources, or employee information.
A well-executed whaling attack may also gain access to employees through impersonation of the whale. Employees may believe they are being contacted by a superior, and comply by providing the requested information. This leads to a bank of personal and financial data that can then be used to farm other schemes such as tax refund fraud and identity theft, as well as access to personal accounts, documents, and other credentials.
Whale phishing tactics rely heavily on the ingenuity, research, and design performed by the hacker. Scams continue to evolve, becoming more customized and intricate with the amount of individual data becoming more readily available and published on online platforms. A lack of protective measures or training to discern between an authentic email from a highly stylized and fraudulent one are weaknesses scammers depend on.
Spear Phishing and Whaling
“Phishing” casts a large net by sending out mass communication spam emails, while “spear phishing” targets an individual or organization. During a spear phishing scam, a fraudulent email is created through the use of replicated images, headers, and other branding, to spoof an email address. This fake message appears, in nearly all aspects, to be legitimate and while requesting access to sensitive information. The accuracy and effectiveness of these scams range from spam mail to highly crafted replica documents and web pages.
Whaling is a specific type of spear phishing. Whale phishing is a designed campaign where the scammer uses social engineering and deep research to attack a “big phish” or “whale,” an authority, executive, or powerful individual. The whale is the target, and may be attacked by use of malware. The goal is generally to initiate a wire transfer or obtain the “keys to kingdom” which would normally guard sensitive information of the company. A whaling attack may also be used as a pathway to grant access to future attacks and obtain further information from other people.
How to Protect Yourself Against a Whaling Attack
Protection against phishing and whale phishing attacks requires strategic defense on many levels. Technical security should include up to date anti-malware software, spam filters, and other detection and protection tools set to the strongest degree.
Human defense starts at the highest level. It requires that the key individuals who are most likely to be targeted remain on guard about releasing their personal information online. Creating an online pseudonym or profile would allow the individual to participate in general online social activities and social media platforms, while protecting their immediate identity.
Using pseudo email addresses and phone numbers may also reduce the likelihood that personal information may be discovered while filling out online forms, shopping, or setting up accounts. A pseudonym may also protect the entire company by limiting the readily available information a cybercriminal would need to build an accurate and authentic-looking whaling attack.
All employees and individuals should avoid sharing private or financial information through email, and question contact through unknown sources. Staff training should include learning how to search for signs of email spoofing and IP authentication.
If sensitive information — personal, financial, or transactional — is requested, the scope of the request should be considered. Was it expected? Is there an abnormality in the email, link, or attachment? Did it follow the typical style of internal communication? Does it seem unusual in any way? Suspicious links, attachments, or downloads should never be clicked until authenticated.
Company policies may also describe the kind of information leadership and authority figures may ask, how the information will be requested, and how employees should report suspicious requests for verification. The strongest security measures are built with a comprehensive approach that identifies security measures for leadership, and for every individual.