What Is Whaling?
It’s a great question. The answer, however, relies on the proper context. Before we get into what whaling is, let’s take a step back and see where it fits into the larger world of cyber attacks.
Whaling Is a Form of Phishing
Phishing is a social engineering attack — typically, but not exclusively, conducted via email — that tricks a user into giving access, data, or money to threat actors. During a phishing attack, the threat actor often pretends to be a person or organisation known to, and trusted by the target and asks for access to a system or for financial information.
The end goal of phishing is financial gain, access to a secure system, personally identifiable information, or information about an organisation that can be sold or used to make additional attacks.
While phishing attacks can take many forms, including smishing, vishing, or spear phishing, there are frequent characteristics to look out for:
- The message has misspellings or obvious grammar issues
- The message asks for sensitive, valuable, or financial information
- The message contains suspicious links
- The message has a sense of urgency
- The message is from someone who has never contacted you before — for example, the CEO of your organisation
Phishing attacks often take a spray-and-pray approach, targeting multiple users. There often isn’t a great deal of care taken in the crafting of the message, which is why it’s common to see misspellings and grammar mistakes.
Whaling Is a Form of Spear Phishing
As noted above, spear fishing is a sub-category of phishing. Essentially, spear phishing is a more targeted and socially engineered version of the spray-and-pray, bait-and-hook, phishing email model.
Spear phishing typically involves a greater degree of social engineering. These attacks target specific people with carefully crafted and personalised emails that include valid information about the recipients to better convince them of the sender’s legitimacy. Cybercriminals may root around on social media for information or just use an educated guess.
These attacks take more time, require more effort, and target fewer people with each effort, which is why they’re typically seen as the “quality over quantity” version of standard phishing.
Now, then: What is Whaling?
Essentially, whaling is a spear phishing attack aimed at a high-value target, such as executives, IT department heads, finance department heads, or an organisation’s C-Suite. These attacks see threat actors conducting extensive research before launching their attack. The attack may also involve other social engineering tactics in order to produce a convincing-enough ruse that compels the victim to act. That action they’re aiming for may find the whaling target supplying funds, giving up their online credentials, or taking some other significant action.
Take the case of the co-founder of an Australian hedge fund who clicked on a fake Zoom meeting invitation. The malicious link was the beginning of an attack that eventually resulted in $8.7 million dollars’ worth of payments for fictitious invoices. The company later went out of business due to the fallout.
Why Do Whaling Attacks Work?
In whaling, the threat actors know they are chasing after a big payday. They put in the time and research to make sure they do their absolute best at increasing the chances of launching a successful attack.
In a whaling attack, threat actors will have worked many angles to understand who their target is and how to best tempt their target into their trap. Often, they utilise a spear phishing attack targeting a particular organisation as an early phase of their attack, then utilise any intel gathered about the organisation or employees at the organisation for their whaling attack.
In addition to equipping themselves with enough accurate information to be believable (names, titles, account numbers and instructions), threat actors will also try to create a believable backstory that can add some stress to the situation. Stress and distraction work in the threat actor’s favor. They know that people are not as careful when they are distracted or stressed. They design and time their attacks to optimise the chance that a whale will click on a malicious link or download a malware-laden file at a time when they’re focused on something else, in a hurry, or just simply not paying attention.
How Do Threat Actors Time Their Attacks?
Once a threat actor gains even a little information about an organisation, they can time their attacks quite easily. For example, they could set up a spear phishing attack and pretend to be an interested customer, reach out to the sales team, and ask when the salesperson could be willing to give a discount based on “end of the month,” “beginning of the quarter,” or “year end.”
Once they get an answer, they are then equipped with an understanding of when the finance team, executives, contracts team, and other key players will be the most distracted, busy, and/or stressed. If the threat actor is going after someone on the finance team, they now know when they should time their attack.
Also, to improve their odds of finding their target at a time of stress or distraction, threat actors will use three major strategies that ratchet up the tension or supply greater credibility to their message:
1. They create a sense of urgency
Their messages often contain a request that has a ticking clock: urging you to respond before the offer expires, the business day ends, or your ‘mistake’ is discovered.
2. They use the internet against you
Threat actors scour the internet and social media sites, collecting easily obtainable information on you and your organisation to increase the credibility of their messages. Through public information found on the internet, they can figure out where you’ve worked and for how long, who your manager is, and what your email and phone number is. And they don’t stop there. They can easily find sensitive and personal information floating around on the dark web from previous breaches of other organisations of which you’re a customer and use it to craft a believable trap.
3. They leverage your lack of training
Threat actors know that most companies either don’t provide any security awareness training at all or provide it infrequently and ineffectively, meaning the employees don’t retain what they learn.
How To Protect Your Organisation from Whaling Attacks
There are several things you can do to protect your organisation (and yourself) from whaling attacks:
1. Effective phishing simulations
Teach and train your employees to properly identify phishing, spear phishing, and whaling emails via simulations that are directly paired with specific education about the test email they received so employees can learn what to watch out for.
2. Ongoing security awareness training
Teach and train your employees about the latest scams infiltrating inboxes in your industry — and do it frequently. The Ebbinghaus Forgetting Curve states that people will forget 80% of what they’ve learned in less than a month. So, if the organisation you work for hasn’t done any training in the past month, you can basically consider that all your employees have already forgotten what they were trained on.
Also, if your security awareness training isn’t relevant and is still referencing the Target breach of 2014 as a “current event,” you’re way past due for a content update.
3. Enable “outside your network” labels in your email system
Labeling emails that come from outside your network can help employees be wary of a sender’s email that purports to come from a fellow employee or internal department.
4. Effectively communicate “change management” rules
Develop firm instructions on how you will communicate any changes to employees. For example, language such as “We will never ask you to share your info/update your password in the following way…” That way, if they receive instructions through a phishing email that deviates from your established practice, your employees will be suspicious and less likely to fall for the ruse.
5. Embrace person-to-person confirmations
Many whaling attempts target finance teams in an effort to have them wire money or send payments. Threat actors will impersonate customers, vendors, or fellow employees. While it may be easy to impersonate someone via email, it’s much harder to impersonate them face-to-face. To better protect your organisation, develop policies and follow practices that require person-to-person confirmation for wire transfers or invoice payments above a certain amount.
6. Don’t overshare
Avoid sharing details about things like your company’s org chart, which gives cybercriminals insight into your organisation’s structure and tips them off to who they should impersonate. “Out of Office” replies are another source of oversharing, as these messages often include the contact info for colleagues to contact in the employee’s absence, as well as the dates the employee will be gone. This gives a threat actor an opportunity to pose as that employee on vacation using a “personal email” and appeal to the listed contact to help them immediately rectify an urgent matter.
7. Monitor for account takeovers
If your organisation is like most, you have compromised usernames and passwords floating around on the dark web. For now, you may not notice any suspicious activity with the account, yet cybercriminals could be lying in wait for the right moment to make their attack. That’s why it’s crucial for organisations to implement account takeover monitoring within their IT security processes.
Quickly discovering and updating an account once it’s been compromised can make the difference between thwarting an attack and having to recover from an incredibly painful and costly one.
Whaling is a practice that is often effective for threat actors, and it’s one with dangerous consequences for organisations. It’s crucial to understand how these types of scams unfold; to be cautious, suspicious, and learn how to spot and take action at every layer of these types of attacks in order to protect yourself, protect your ‘whales’ and, as a result, protect your organisation.