Have you ever received an email from a trusted sender who really turned out to be an online phisher? If so, you’re not alone, and even large organizations like Snapchat and Seagate have fallen victim to whaling phishing attacks.

When it comes to whaling, corporate email addresses and high-level employees are often the targets of these sophisticated phishing schemes. While premium protection services work well against smaller at-home attacks, whaling attacks can slip through a major organization’s defenses if employees and possible targets are unaware of their possibility.

If you’ve found yourself wondering “what is whaling?” while surfing the high seas of the web, our guide can provide you with answers to your question and defenses against online angling.

What Is Whaling Phishing?

Whaling phishing is a type of phishing attack, frequently referred to as whaling. These types of attacks usually target high-profile individuals — CEOs, COOs and organizational presidents — and they employ more mature, sophisticated phishing tactics than other schemes.

Instead of sending mass emails to a variety of people or companies, whaling phishing attacks are well-researched and targeted at specific organizations. Names, addresses, job titles and other personal information is used to create a stronger, more believable attack ploy. 

The goal of whaling phishing is to convince targets to give up credentials, steal money or data, or gain access to networks with bigger potential profit yields. To do so, these cyberattacks entice leaders to send or wire money to scammers or reveal sensitive information like passwords and usernames that unlock a company’s intellectual property.

Laptop with a whale caught on a hook being pulled from the screen with the definition of whaling on the left-hand side.

Whaling Attacks: How They Work

As organizations continue to take security awareness training seriously, hackers have been forced to create more sophisticated tactics for their phishing schemes. Unlike common phishing emails, whaling emails have adopted specific characteristics to avoid detection, including:

  • Professional and business-centric terminology
  • Precise industry knowledge
  • Spoofed email addresses, websites and landing pages
  • Personal information, references and anecdotes 

Using social engineering techniques, hackers combine these characteristics with specific content and urgent messaging to encourage targets to act quickly. Many whaling attacks include details like fake addresses masquerading as trustworthy individuals, detailed landing pages or webpages, personalized features like the target’s name or job title and follow-up phone calls.

Some common elements of whaling emails include:

  • Requests for personal favors from other high-value or trusted individuals
  • Discouraged in-person meetings
  • Urgent demands for payments through wire transfers
  • Clickable links or attachments accessed by internal credentials

If the targets react to whaling emails or spoofed websites by clicking on an attachment or link, their devices may become infected by malware, which can steal sensitive information, impersonate the target or change permission settings.

Detecting a Whaling Attack

Since whaling attacks have a higher return possibility, they are more strategically planned and can be difficult to detect. Most whaling attacks can be detected through these signs: 

  • Spoofed and urgent emails: Many whaling attacks will use spoofed emails with urgent messages to begin an assault. These emails will look almost identical to trusted organizational emails, giving them an air of credibility that can spur action.
  • Infected links, attachments and landing pages: Suspicious links, attachments and landing pages are used to deposit malware onto vulnerable devices. They can be embedded in the body of a spoofed email or text message.
  • High-value targets: Whaling attacks will often target high-value individuals in an organization. These targets may have direct access to credentials or company funds.
  • Impersonation: If a whaling attack does not target a CEO or COO, hackers may choose to impersonate them instead. Impersonators then target lower-level employees who may have access to servers or other sensitive information.

If one or more of these signs are present in a cyberattack, you may have the makings of a perfect storm for a whaling attack.

Illustrated images describing impersonation, infected links, high-value targets, and spoofed emails addresses.

Dangers of Whaling

While financial gain is the main motivator behind phishing attacks of all types, there are different types of damage whaling attacks can cause.

Financial Damage

For many whaling attackers, financial damage to an organization is the main goal. In successful breaches, the company will suffer financial losses while the hacker or hacker group will benefit from financial gains. In many cases, high-value targets will simply wire or transfer money to a fake account, but some whaling attacks actually steal sensitive information that is later sold for profit.

Data Damage

In addition to financial damage, whaling attacks frequently cause data damage. In fact, 76% of whaling phishing attacks are used to access organizational credentials, which can include employee and customer data. These types of data breaches can lead to more profit loss and the loss of intellectual property.

Reputational Damage

Both financial loss and data damage can disrupt the reputation of an organization. Aside from internal losses, a company’s brand can lose customer trust and suffer from negative press. Additionally, depending on a company’s product or industry, they may lose brand deals, sponsorships and other types of reputation-led relationships.

5 Ways to Defend Against Whaling Attacks

While whaling may be a more sophisticated phishing attack, there are still ways to prepare for and defend against them. These five defense tactics can be observed by members of an organization at all levels, including CEOs and employees alike.

1. Awareness 

The best way an organization can defend against whaling attacks is by prioritizing awareness. Security training about phishing attacks, social media usage and other awareness classes should be standardized across an organization. Additionally, providing employees with a list of things to watch out for — like incorrect email addresses and requests for money or security information — keeps all users aware of the dangers and possibilities of a whaling attack.

2. Multistep Authentication

Two-step and multistep authentication have grown in popularity with the rise of cyberattacks. This often means using third-party applications or software to validate the legitimacy of a message or login. By requiring multistep authentication for wire transfers, access to sensitive information and email or data checks, a company can decrease the possibility of successful whaling attacks.

3. Data Security Policies 

While online monitoring is often frowned upon, it can be a legitimate defense mechanism against phishing schemes. Designating a team or installing data security across an organization can reduce the risk of phishing attacks. These teams or programs can monitor email addresses for malicious activity or spoofing, and automatically block any suspicious addresses or email content.

4. Privacy Restrictions

In addition to general awareness, organizations should increase privacy awareness and restrictions. Social media accounts specifically should have all high-level privacy and security restrictions in place because these accounts can be gold mines filled with sensitive and personal information. Personal and professional social media accounts should both be treated as potential targets for phishing attacks, especially accounts run and managed by high-value targets.

5. Phishing Tools or Resources 

In addition to in-house awareness campaigns, privacy restrictions and authorization, organizations should invest in anti-phishing tools or resources for additional protection. Many external organizations, like the Anti-Phishing Working Group (APWG), offer anti-phishing software, additional security defenses and fundamental resources that can provide insight and help protect companies from whale phishing.

Phishing vs. Spear Phishing vs. Whaling

Phishing, spear phishing and whaling attacks can easily be confused because they’re from the same family of cyberattacks. However, they are different and each type of attack uses specific tactics.

Phishing attacks refer to the broad category of phishing schemes. These can be amateur or sophisticated attacks, and they target a variety of different entities — including individuals, groups and organizations. Phishing attacks try to fool or convince someone to take action, which can be as simple as clicking on a link or as intricate as wiring funds to a bank account.

Spear phishing lies under the umbrella category of phishing, however, spear phishing attacks usually target specific individuals rather than groups. These attacks will use specific information — like notices of current events, financial records or organizational happenings — to gain trust.

Whaling is a specific type of spear phishing attack. While spear phishing can target any individual, whaling targets high-value individuals who are more likely to have access to data or funds. Similar to spear phishing attacks, whaling attacks use tactical emails that are personalized to convince individuals to act. Whaling attackers will not send mass emails and may even use follow-up calls to appear more legitimate.

Illustration of an envelope surrounded by many avatars, being speared, and next to a whale.

Whaling Attack Examples

Because of their sophisticated tactics and goals, many whaling attacks target larger, more valuable companies. Some of the most significant whaling attacks have occurred against organizations like Scoular, Snapchat and Seagate.

2015 Scoular Whaling Attack 

By using a phony merger and acquisition deal as a cover, hackers in 2015 were able to impersonate the CEO of The Scoular Company — as well as members of Scoular Company’s accounting firm — which resulted in a loss of more than $17 million. This attack claimed that discussing the email with anyone would violate foreign procedures, and the hackers answered inquiry calls from the target with false information.

2016 Snapchat Whaling Attack 

In early 2016, technology company Snapchat fell prey to a whaling attack. Hackers impersonated the company’s CEO and sent an email to another high-value target asking for payroll information concerning both current and previous employees. The target released this information to the attackers, effectively causing a breach. The Federal Bureau of Investigation (FBI) was required to analyze the attack.

2016 Seagate Whaling Attack 

A target at Seagate fell for a whaling attack in March 2016. Under the assumption that the target was communicating with the company’s CEO, payroll information of all past and current employees was delivered to the hackers. This led to a massive data breach, where 10,000 employee records were leaked. These records included Social Security numbers, salary information and other identifiable data. Seagate faced an employee-led class-action lawsuit following the breach.

While you may not ask “what is whaling?” every day, it’s important to be aware of how dangerous phishing attacks of any kind can be. To keep your information secure, choose unique passwords and use a VPN to safely and securely browse the internet.

Resources: Agari | Office of the Director of National Intelligence | The Guardian | Infosecurity Magazine | IT Governance USA Blog