Definition of a Whaling Attack
A whaling attack is a targeted attempt to steal sensitive information from a company such as financial information or personal details about employees. Typically used for malicious reasons. This kind of attack specifically targets senior management that hold power in companies. Such as the CEO, CFO, or other executives who have complete access to sensitive data. It is called “whaling” because of the size of the targets relative to those of typical phishing attacks. “Whales” are carefully chosen because of their authority and access within the company. The goal of this attack is to trick an executive into revealing personal or corporate data. This attack happens often through email and website spoofing.
What Is the Difference between “Whaling” and “Phishing”?
Whaling, by itself, is not an advanced technique. At a basic level, it’s a more complicated means of phishing. It’s the logistics behind it, however, that make it potentially devastating to users.
It takes the flaws of phishing and refines it to trick people into doing what the hacker wants. The main problem with regular phishing is that they tend to be ineffective. The public has become efficient at spotting a phishing attack. So they’re not as effective as they once were.
As a result, hackers have had to escalate their efforts to trick others. People always advise against trusting things sent by friends, family, and co-workers. Hackers exploit this trust to scam people through whaling.
Whaling is when a hacker digitally targets someone in a senior position in a company. Usually, the hacker will harvest information on the person to find out more about them. They may also gain access to the company’s network and do some investigating on how the company operates.
Why Are Whaling Attacks Successful?
Such attacks use fraudulent Emails that appear to be from trusted sources to try to trick victims into divulging sensitive data over email or visiting a spoofed website that mimics that of a legitimate business and asks for sensitive information such as payment or account details.
Whaling emails and websites are highly personalized towards their targets. And often they include targets’ names, job titles, and basic details to make the communications look as legitimate as possible. Attackers also use spoofed email addresses and actual corporate logos, phone numbers, and other details to make attacks seem like they are coming from trusted entities such as business partners, banks, or government agencies.
These kinds of attacks are so highly personalized and are sent only to select targets within a company. Whaling attacks can rely solely on social engineering to fool their targets, though some cases will use hyperlinks or attachments to infect victims with malware or solicit sensitive information. Because of the high returns that cybercriminals can gain from whaling attacks, attackers spend more time and effort constructing the attack to seem as legitimate as possible.
Examples of Whaling Attacks
Because whaling attacks are so difficult to identify, many companies have fallen victim to these attacks in recent years. In early 2016, the social media app Snapchat fell victim to a whaling attack when a high-ranking employee was emailed by a cybercriminal impersonating the CEO and was fooled into revealing employee payroll information. Snapchat reported the incident to the FBI and offered the employees who were affected by the leak two years of free identity-theft insurance.
Another similar incident happened in March 2016, when an executive at Seagate unknowingly answered a whaling email that requested the W-2 forms for all current and former employees. The incident resulted in a breach of income tax data for nearly 10,000 current and former Seagate employees, leaving those employees susceptible to income tax refund fraud and other identity theft schemes. Seagate notified the IRS of the data breach.
How Much Damage Does It Do?
Now we know the details on a whaling attack, but how many companies fall for them? Do companies quickly catch out these attacks, or are hackers earning a pretty penny by taking advantage of these businesses?
Forbes reported that, since 2013, an estimated $12 billion had vanished from just under 80,000 businesses through whaling. Not only that, but Varonis said that whaling went up 200% in 2017 alone, showing that hackers are warming to the idea of going big phishing.
How Hackers Benefit from Whaling?
A hacker wouldn’t go out of their way to do all this without expecting something in return. The primary objective of the hacker is to extract money from the employees by asking them to transfer funds to the “manager.”
If a hacker has done his homework, he will impersonate the voice and tone of the manager to make their attack more believable. He’ll ask people to wire money to a specific account, claiming that it’s for business reasons.
A hacker may attempt something a little sneaker instead. After all, asking people to wire them money could raise eyebrows. Sometimes, information can be worth more than a single payout, and hackers will ask for sensitive data they can use to earn some extra money.
A few years ago, The Guardian reported on a whaling attack where an HR employee received an email from a hacker pretending to be the CEO. The hacker asked the employee for the company’s payroll info, to which the HR employee replied with all of the details. The hacker now had payment details of everyone hired at Snapchat.
How to Defend Against Whaling Attacks?
1. Secure Company Policies
Ideally, a whaling attack shouldn’t happen in the first place! A good company security policy is an effective way to prevent problems causing by hackers.
For one, user accounts should be secure enough to prevent hacking attacks. Robust passwords and additional countermeasures against intruders (such as two-factor authentication) should keep the whalers from breaking in.
Companies should also set up their internal email system to suspect any mail arriving from outside the intranet. Even the most convincing imposter email will fall foul to a blacklist and flagged before it can do any damage.
2. Protect Data and Money Transfers
Ideally, the processes behind sending data and money should be secure enough to prevent it from leaking outside the company. Failure to cover this may lead to disgruntled employees taking a little extra for themselves.
Always handle data and money in the most secure way possible. That way, if someone does get fooled by a whaling attack, the transaction will be flagged by the system before the hacker manages to get their hands on the prize.
3. Practice Vigilance
When all else fails, and a hacker targets you for a whaling attack, you can do your part by practicing diligence.
A whaler will try to attack your sense of motivation by contacting you from the position of a higher-up. That way, when they ask you for sensitive information, you’ll feel the need to send it to them without a second thought.
If a manager you know suddenly starts asking you for cash or personal information, it’s worth double-checking the name and email address for any oddities. If something seems off, try contacting the boss outside of email to see if the transaction is legitimate.
Using a Secure Email Service
A whaling attack can only take place if a hacker gleans enough information to perform the attack. If you lock them away from this information, they don’t have the tools they need to infiltrate the company. As such, you should analyze how secure your email service is, and if it does a good job defending itself from snooping.
If you’re a little stuck on what services to choose, keep an eye out for secure and encrypted email providers that put your privacy first. An email provider that doesn’t take care of your connections carries a risk of leaking sensitive data, which a hacker can use to stage a whaling attack.
Staying Safe From Identity Thef
Whaling is the larger sibling of phishing on every level. From the size of the target to the potential rewards it holds, whaling can be a significant problem for businesses and employees alike.