In the U.S. alone, companies belonging to various industries have had to pay ransoms amounting to tens of billions of dollars to hackers over the last decade. By using whaling attacks hackers have managed to extort a ton of money. Still, some companies believe that hackers usually target giant corporations with good balance sheets and keep away from mom-and-pop businesses and home users.
Of course, hackers target the lowest hanging fruit. Whether it is a corporation, an SME or an end-user doesn’t matter to hackers. People working in a corporate environment often don’t look out for suspicious emails which allows hackers to steal sensitive data from the company and put businesses out of work.
But what is a whaling attack? A whaling attack is a hacking technique that cybercriminals use to impersonate a senior executive at a company and then extort money or information from the organization or its employees.
Using a whaling attack, hackers can gain access to other senior officials at the target company.
After deceiving top executive-level employees, hackers gain entry to the target company’s computer systems and try to trick employees into transferring money or information to their company’s CEO or CFO (who is actually an impersonator). Whaling attacks have evolved from similar cyberattacks such as CEO fraud and phishing and can be just as destructive. Organizations and individuals should know more about whaling attacks because these attacks are essentially an advanced form of spear-phishing and phishing attacks.
Table of Contents
What Type of Attack Is Whaling?
Whaling is a type of phishing attack. In phishing attacks, the targets are non-specific organizations or individuals. In whaling attacks, the targets are specific and the hackers masquerade as specific individuals working at the same organization as the target individual.
Whaling can also be considered a type of spear-phishing attack since whaling attacks involve targeting a specific individual. But whaling attacks are different from spear-phishing attacks because whaling attacks only target high-level and important executives at the target organization.
Who Do Whaling Attacks Target?
Whaling attacks target high-level executives like CEOs and CFOs at various companies. Hackers target such individuals because of the influence they hold at the target organization. Not only that, but top-level executives can also be more prone to cyberattacks because of a lack of awareness about cyber threats. Hackers also target such individuals because of their easy access to sensitive company data and information. In some situations when hackers want to hurt an organization financially, targeting senior officials by impersonating senior officials at the same company allows for reduced supervision and an easier approval process for any transactions that are to take place.
How Do Whaling Attacks Work?
Cybercriminals who are interested in launching a whaling attack first research their target organization. Once cybercriminals have managed to gather enough information to best impersonate a high-value specific individual at the target organization, they then move to figure out the best approach to deceive their target individual. The hackers then work on the type of information the high-level executive can access which hackers can steal.
For this purpose, cybercriminals usually go through all the publicly available information about the company and the individual. They may also look at the social media profiles of both the target individual and the company. After enough preparation, the cybercriminals come up with a plan for launching an attack. Generally, cybercriminals would use the latest malware attack techniques and rootkits to gain access to the company’s network.
These cybercriminals may use a malicious email message coming from the CEO of the company to the CFO or the individual dealing with financial transactions at the company. Hackers are able to make the email message look like it is genuinely coming from someone important at the company. This allows hackers to gain the trust of the person they want to target at the company and achieve their end result whether that is to steal information or money or to gain excess to their network for future attacks.
What Are the Results of Whaling Attacks?
The results of whaling attacks are given below.
- Financial loss
- Reputational damage
1. Financial Loss
In the majority of whaling attacks, cybercriminals are looking to steal money. Once a key top-level executive takes the bait and clicks a malicious link, hackers can gain access to the network and compromise it. Sometimes hackers request funds (while impersonating the CFO of the company) be placed into a particular bank account that a CEO ends up approving. In other cases, hackers can gain information from important personnel in the company which can then be used to launch future attacks when the company has crossed a certain threshold of financial success.
Hackers can also masquerade as a trusted member or supplier of the company. The hackers can ask for funds that, with a good enough impersonation, can get approved resulting in financial loss for the target company.
2. Reputational Damage
Once a company gets hit with a whaling attack, the company is likely to suffer either data loss or financial damage. Both mar the reputation of the company or the individual running the company. Customers start to trust the company less and investors put their money into companies that haven’t been targeted by a whaling attack.
Whaling Attack Statistics
In 2016, Seagate suffered a whaling attack that resulted in a sensitive data leak that affected 10,000 of its employees. The same year, FACC also had to deal with the consequences of a successful whaling attack that resulted in the company losing $47 million. Snapchat also ended up releasing payroll information after a whaling attack where hackers managed to convince an employee to release the information while impersonating the company’s CEO.
Whaling Attack Examples
Some important whaling attack examples are discussed below:
- Scoular
The Scoular company underwent severe financial damage when cybercriminals impersonated the CEO of the company and emailed the corporate controller about a possible company acquisition in China. They specifically discussed the importance of keeping the conversation private to avoid violating SEC regulations. The cybercriminals even held a telephone call with the controller and ended up causing the company to lose business worth $17.2 million in the form of transferred funds to offshore accounts.
- Ubiquiti Networks, Inc.
Ubiquiti Networks, Inc., a manufacturer of wireless devices, revealed in 2015 that the company had lost $46.7 million to a whaling attack. Attackers impersonated trusted vendors and an executive and emailed the finance department to release funds for a completed order. - Mattel, Inc.
Mattel, Inc. is a toy manufacturing company that lost around $3 million when hackers duped the company’s finance department into releasing the money into an offshore account in China. - Levitas Capital
Hackers managed to dupe the co-founder of Levitas Capital, a hedge fund in Australia, into releasing $800,000 worth of money after clicking on a malicious Zoom link. The amount of money the hedge fund lost was not as big as some of the other examples on this list but the reputational damage was huge.
Whaling Attack Prevention and Detection
There are many ways to protect one’s organization from whaling attacks. For example, companies and individuals can hire cybersecurity specialists who can educate employees on how to take the necessary precautions to stay safe from different types of cyberattacks and what to look out for.
Companies should also make sure their security measures are in place and working. That means all the computers on the company’s network should have an antivirus product installed and a firewall. There are some email security products as well and if the company regularly engages in email communication, those might be needed too. There should be tools in place to flag email messages that come from outside sources.
Ensuring that there is a rigorous verification process in place before approving any type of transactions or information dissemination is key. Companies can also prevent whaling attacks by educating their employees on how to use social media platforms and different forums. Discussing the damage new cyber threats can cause is another way to make sure employees don’t take cyber threats lightly and always follow protocols to ensure that the company’s assets are safe and secure against unnecessary access.
How to Prevent a Whaling Attack?
To prevent a whaling attack proper precautions need to be taken and the right tools must be installed before an attack happens. If an organization did not have any protection against whaling attacks the first time around then the same tools and precautions need to be taken after a whaling attack has happened.
Apart from not clicking links to unknown destinations or from unknown sources, marking external emails and having an effective verification process, companies should use all the cybersecurity tools available to ward off whaling attacks. That means, in addition to an antivirus product, companies should have custom firewalls, malware scanning tools and an intrusion detection system. Such tools not only detect and prevent whaling attacks but also analyze them to better prepare the network for future whaling attacks.
The right tools in the right places can ensure that even if a whaling attack is successful in the future, the attack can’t do the same amount of damage to the company or the individual. Using a VPN service can also help with preventing whaling attacks because once VPNs secure a connection, hackers can’t know the real IP address of the device they were planning to target. With a VPN in place, hackers will also not have the opportunity to collect information on the target individual or organization. Without any sensitive information, cybercriminals can’t impersonate an important employee at the company to successfully launch a whaling attack.
Employee Awareness/Consciousness
Companies should spend time and resources to educate their employees about the emails that hackers and other cybercriminals might send them to gather sensitive information. Once employees know how to recognize a whaling attack, the company will be in a much better position to handle one.
Employees should pay particular attention to external emails. To prevent whaling attacks, employees must have a system in place to flag emails from external sources. Hackers first have to initiate contact with a company representative to glean information for the eventual whaling attack and an external email address is the only way to do it. If employees are notified that the email is not from within the organization, hackers will have a harder time convincing an employee of the company that the email is from someone within the company. Companies should also educate employees about phishing attacks and how hackers launch phishing attacks.
Educating employees about the emails they get is also important. Employees need to give due consideration to all unsolicited email messages with information requests. Not clicking on malicious links and attachments from unknown sources should be the standard protocol. An easy low-tech solution to be safer from whaling attacks via links is to hover over any links in email messages. Once an employee hovers over the link, the web browser should reveal the complete URL in the bottom section.
This is important:
Double-checking and verifying the sender of the email, the email address and the names is also a must. Hackers usually leave some irregularities in email messages and sometimes make grammatical mistakes purposefully to get past spam filters. Employees should watch out for that as well.2 (or More) Factor Authentication
During any communication session, a company should always set procedures to verify the other party by requesting sensitive or confidential information which may be used to build trust. One of the best methods to do that is to introduce two-factor authentication that can prevent whaling attacks. With two-factor authentication in place, even if hackers get ahold of account passwords they would still have to find a way to authenticate any login attempts by providing another piece of sensitive information.
Pro Tip:
Some newer whaling attack techniques can overcome even two-factor authentication implementations. Therefore, companies who want to prevent whaling attacks should use 2FA implementations that require USB hardware tokens via U2F standard as they are more secure than 2FA via SMS or an authenticator app.Anti-Phishing Applications or Tools
Most reputable anti-phishing tools now take advantage of developments in the field of artificial intelligence and machine learning to help stop whaling attacks. AI-enabled anti-phishing products are better at detecting suspect processes or authentication attempts and can warn the employees at the company about a possible whaling attack attempt. Good anti-phishing tools can even cancel a transaction if the transaction checks enough marks of being a malicious hacking attempt.
With the right implementation, anti-phishing tools can decrease the number of whaling attacks that are successful against a particular company. Some tools to stop whaling attacks include Sophos Email, Microsoft OFfice 365 Advanced Threat Protection and Barracuda Sentinel.
How to Detect a Whaling Attack?
The best way to detect a whaling attack is to look at the email address of the sender. Hackers normally use advanced techniques to spoof email addresses. An employee educated on phishing attacks should be able to differentiate between a legitimate sender’s email address and an altered version of the same sender’s address. Look out for very subtle differences such as google.com and gooogle.com or 1up.com and Oneup.com.
Note:
Any email address that gives the impression of an emergency or a threat should be looked at with suspicion and used to detect a whaling attack. Most of the email messages cybercriminals will build to launch whaling attacks will want the receiver to act urgently. Ideally, hackers want the receiver to act without much thought.Sometimes, depending on the research hackers have done on the recipient, whaling attacks may give off a threatening tone to coerce the employee into complying with the request for the fear of negative consequences from higher-ups in the company. Another good way to detect a whaling attack is if the email message (or whatever communication method cybercriminals may choose) is asking for sensitive information or a transfer of funds.
Any action that leads to authorization of funds or dissemination of sensitive information should be double-checked before completing. More specifically, the receiver of the message should make a phone call or schedule an in-person meeting with higher authorities before releasing information or funds to a potentially fake trusted partner.
All of the tips above can be effectively applied to not just email communication but any other form of communication such as telephone, fax, video call or in-person meeting. Whaling attacks can come in all these forms so it’s important to be diligent with all business-related communication.
What Are the Differences Between Whaling Attacks and Phishing?
The main difference between whaling attacks and phishing attacks is personalization. Generally, phishing attacks are not personalized. Moreover, cybercriminals can use many methods of communication to launch phishing attacks such as messaging apps, email, text and phone. In phishing attacks, cybercriminals generally impersonate a legitimate bank or service and then spam malicious email messages to millions of users hoping to find success with a tiny percentage.
Whaling attacks on the other hand are very personalized. Most whaling attacks involve communications that are tailor-made for one specific individual, usually an important person at a company that can release funds or can provide sensitive information or access to a network. Hackers target a single individual to steal money or install a backdoor into the computer network of the company.
While phishing attacks are never personalized and never mention the name of the recipient, whaling attacks are highly researched. In a whaling attack, hackers not only know the name of the target individual but any piece of information that can be found about the individual on the internet. Cybercriminals usually get information from social media platforms and sites like LinkedIn to learn as much about the individual as possible. This helps them curate a message with the highest probability of passing as a legitimate email.
What Are the Other Types of Attack?
Other types of attacks are given below:
- Spyware
- Adware
- Ransomware
- Droppers
- Worms
- Logic bombs
- Trojans
- Viruses
- File infectors
- Boot-record infectors
- Birthday attacks
- Eavesdropping attacks
- Cross-site scripting attack
- SQL injection attack
- Password attack
- Drive-by attack
- Phishing attack
- Spear-phishing attack
- Replay
- IP Spoofing
- Session hijacking
- Botnets
- Ping of death
- Teardrop attack
- Smurf attack
- TCP SYN flooding
- DDoS
- DoS
What Are the Similarities Between Phishing Attacks and Whaling Attacks?
The similarities between phishing attacks and whaling attacks are numerous since whaling attacks are a subset of phishing attacks. The two terms are very closely related and can often be mistaken for each other. The similarities between phishing attacks and whaling attacks are given below:
- Both primarily use malicious emails to attack individuals and organizations.
- Whaling attacks and phishing attacks use spam to send malicious messages to targets.
- Phishing attacks and whaling attacks both try to exploit the trust people have in various brands, businesses, partners, companies and services.
- Both rely on the target individual to click on a link or respond to a malicious message.
- Whaling attacks and phishing attacks both want to steal information or data.
What Are the Differences Among Phishing, Whaling Phishing and Spear Phishing?
The terms phishing, whaling phishing and spear-phishing are very similar to each other and the differences between these three terms are not well known. Phishing attacks target thousands and even millions of users online. Quantity matters more than the quality of the email message with which to deceive potential victims.
On the other hand, spear-phishing is slightly more specific. Spear-phishing targets employees of an organization or organizations working in specific industries. Cybercriminals have to work harder to research and craft the perfect method to trick potential targets.
In terms of effort, whaling attacks require the most work since cybercriminals have to research a company and individuals within that company for months on end to impersonate one of the high-ranking employees as best as possible. Consequently, whaling attacks have the highest success rate among different types of phishing attacks.