How Whaling Attacks Work
A whaling attack may begin with a communication through a method commonly used by both the person being impersonated and the target. This may be email or office texting that uses the internet. When the attack begins, there may be no reason for the target to question the identity of the attacker, as the latter may have the same username as the target's associate. In some cases, the email address may be faked, but it appears real enough to be believable.
The attacker may first seek to infiltrate the email account of the person they are using to get to the whale. Once inside, they can initiate an email that helps build trust. This may need to include a detail about the whale’s life that the associate being impersonated would know. This kind of information can be easily gleaned off social media.
For example, the attacker may notice that the victim recently got a new puppy and posted about it on social media. They could then scroll down to the previous year’s Christmas party and see that there was a huge cake. They could use the combination of both pieces of information to compose a seemingly innocent and appropriately knowledgeable email: “Hey, that cute little puppy’s been getting big, huh? Had he been there last Christmas, I bet he could have devoured that whole cake!!! Lol!!!” Because of the detailed nature of the email, the whale may not suspect the attacker is falsifying their identity.
Once trust has been gained, the attacker could try to get secret information from the whale. For instance, they could say, “Ay, I'm on the road, and I don't have my login for the VPN. Could you shoot it to me real quick?” They could also try to gain access to proprietary information by making a request like, “Listen, I put those blueprints on my laptop, but I am using my phone right now. You mind sending those over real quick? I gotta meet this deadline.” Because the whale believes the messages are legitimate, they may send over the information.
What Is Whaling Phishing?
Whaling is a strategic phishing attack, targeted towards high profile executives, that is disguised as a permitted email. An attacker can prod the target for information that helps them access sensitive areas of the network, passwords, or other user information.
A whaling attack can happen quickly, but it is often executed over the course of weeks or months. When a senior user interacts with the attacker, the attacker’s goal is to establish the target’s genuine trust. Taking the attack to the next stage too quickly may result in the target getting suspicious. However, if the attacker slowly proves that they are who they claim to be, the target may have no problem handing over sensitive information.
Whaling vs. Phishing vs. Spear Phishing
Even though whaling, phishing, and spear phishing are all forms of phishing, they have distinct differences.
Phishing involves tricking someone into revealing sensitive information through an electronic communication. For example, the target may get an email from what appears to be a trusted source. The email may claim the target has to take quick action to rectify a problem. To do this, they must click a link in the email. This link brings them to a fake site that appears to be legitimate. It may have logos or fonts used by the real site it is trying to impersonate. The victim, while on the site, is prompted to enter their login credentials. What they enter goes straight to the attacker, who can then go to the real site and use the victim’s credentials to access their account.
This can be done with a bank or other financial account. The attacker may then transfer money to their own account or that of an accomplice.
Spear phishing is much like phishing, but it focuses on a particular victim. A phishing attack may use a list of email addresses, sending out the same communication—or similar ones—to everyone on the list. The attacker may also use details that pertain to the identity of the target to make the communication seem more legitimate.
For example, if the attacker were to see the person use an ATM at a certain location, they could include that activity in the email. They could say something like, “We noticed your card information may have been copied by a card-skimming device when you used the Chestnut Hill ATM on Grove St. yesterday at 12:07 p.m. Please click here to log in to your account and change your password.”
When the victim logs in, they enter their existing login credentials, which are collected by the attacker. When they change their password, nothing actually happens. The attacker could even try to change their password for real by using their correct login information.
Whaling is like spear phishing in that it involves a targeted attack. However, it is different because the attacker impersonates an associate of the victim to gain the victim’s trust. The act of impersonating someone the victim knows differentiates it from spear phishing and phishing.
Whaling Attack Examples and Statistics
The technology company Seagate, in 2016, was tricked into releasing the W2 forms of 10,000 employees. The whaling attack involved an email that requested copies of the employees’ 2016 W-2 forms, as well as other sensitive information such as their Social Security numbers, names, home addresses, and income. When HR complied, the information was sent straight into cyber criminals' hands.
Austrian aerospace parts manufacturer FACC was targeted in 2016 as well. The finance department sent $47 million to cyber criminals. This resulted in the CEO and CFO both getting fired.
The social media company Snapchat handed over payroll information of a selection of its employees back in 2016. Someone on the payroll team got an email from an attacker who pretended to be the CEO of Snapchat, Evan Spiegel. “Evan” requested payroll information, and the victim fell for the trick.
Increase protection against impersonation and business email compromise (BEC) attacks
Does your email security have what it takes to stop multi-vector attack campaigns? Join our webinar to learn more.Watch the on-demand webinar
How to Block Whaling Attacks or Whaling Phishing
You need a multi-layered strategy to thwart a whaling attack:
- Some whaling attack emails may be stopped at the email gateway using robust anti-spam and anti-malware applications.
- If an email is sent from a given domain, Domain Name System (DNS) authentication services using the DMARC, DKIM, and SPF protocols can determine whether it is valid or fake.
- Email scanning and filtering software can be used to scan emails in real time to identify suspicious links or attachments, as well as block users from viewing them.
- Anti-impersonation software recognizes the social engineering tactics frequently used in whaling emails and therefore can prevent a whaling attack.
- Conduct security awareness training to help users recognize whaling attacks and enforce predesigned rules, such as confirming a money wire before taking any action.
Key Objectives of Whaling Attacks or Whaling Phishing
A cyber criminal unleashes a whale phishing attack for any of the following reasons:
- Money: Attackers use spear phishing to deceive victims into wire-transferring money to them.
- Control: A hacker who has obtained credentials to a company's network may move laterally to other parts of the network—or manipulate someone into giving them administrator access.
- Attacks on supply chains: These occur when hackers gain access to weak points in a company's supply chain.
- Corporate espionage: If a hacking attempt is successful, a hacker may steal trade secrets or other intellectual property to help rival companies, including those in other countries.
- Malware distribution: Keyloggers, ransomware, and rootkits are just a few examples of the types of malware that a cyber criminal might trick whaling attack victims into installing.
- Personal vendetta: The reputation of a whaling attack victim could be severely damaged, motivating someone with a vendetta to orchestrate an attack.
Protect Yourself from Whaling Attacks
The first step in protecting you and your organization from whaling attacks is to educate all potential targets, as well as those that may be used to try to gain access to them. Because this could include a large proportion of your company, it may be best to include a "how to avoid whaling attacks" discussion during a training on other types of phishing threats.
Avoiding whaling attacks begins with a shift in mindset. When you read an email from someone, you should ask yourself if you were expecting to receive a communication from that specific person. Also think about whether there is anything strange about the email, including not just what is being said but how it is being expressed, the use of punctuation, emojis, or anything else that seems out of the ordinary.
In some cases, it is very obvious that you are being targeted. For example, if the email address is plausible but not the typical email the person uses, that is a telltale sign. For example, if the person usually uses the email account JSmith@yourorganization.com, but you get an email from JohnSmith@yourorganization.com, you should beware. If there is no reason why John would have to get another email address, this one could be fake. Further, if the email has a name that makes sense but comes from outside the organization, that could also be a sign of danger.
In addition, executives need to be careful about what they post on social media. Details about their lives can be used to execute whaling attacks. If a high-level member of the organization gets an email that mentions things they posted on social media, it may be an attempt to gain their trust in preparation for an inquiry for information.
How Fortinet Can Help
Fortinet has developed FortiPhish, a service designed to increase awareness of whaling attacks and other kinds of phishing. It is available through the cloud and the Fortinet NSE Training Institute. The service involves continuous testing and simulations. The phishing techniques are based on information gleaned from FortiGuard Labs' knowledge of the most up-to-date phishing tactics being used by threat actors.
What is whaling in cybersecurity?
A whaling attack is a type of phishing attack where a particularly important person in the organization is targeted. It hinges on the cyber criminal pretending to be a senior member of the organization to gain the trust of the intended target.
What is whaling vs. phishing?
Phishing involves trying to trick someone into revealing sensitive information through an electronic communication. Whaling is different because the attacker impersonates an associate of the victim to gain the victim’s trust.
How do you recognize a whaling attack?
Signs of a whaling attack include unexpected communications from people in your organization, particularly if they come from a different email address or one from outside your organization. Also, any requests for sensitive information over email should be viewed with suspicion.