What Is a Whaling Attack?
A whaling attack is a type of phishing attack where a particularly important person in the organization is targeted. It hinges on the cyber criminal pretending to be a senior member of the organization to gain the trust of the intended target. Once trust is gained, the attacker can prod the target for information that helps them access sensitive areas of the network, passwords, or other user account information.
A whaling attack can happen quickly, but it is often executed over the course of weeks or months. When a senior user interacts with the attacker, the attacker’s goal is to establish the target’s genuine trust. Taking the attack to the next stage too quickly may result in the target getting suspicious. However, if the attacker slowly proves that they are who they claim to be, the target may have no problem handing over sensitive information.
How Whaling Attacks Work
A whaling attack may begin with a communication through a method commonly used by both the person being impersonated and the target. This may be email or office texting that uses the internet. When the attack begins, there may be no reason for the target to question the identity of the attacker, as the latter may have the same username as the target's associate. In some cases, the email address may be faked, but it appears real enough to be believable.
The attacker may first seek to infiltrate the email account of the person they are using to get to the whale. Once inside, they can initiate an email that helps build trust. This may need to include a detail about the whale’s life that the associate being impersonated would know. This kind of information can be easily gleaned off social media.
For example, the attacker may notice that the victim recently got a new puppy and posted about it on social media. They could then scroll down to the previous year’s Christmas party and see that there was a huge cake. They could use the combination of both pieces of information to compose a seemingly innocent and appropriately knowledgeable email: “Hey, that cute little puppy’s been getting big, huh? Had he been there last Christmas, I bet he could have devoured that whole cake!!! Lol!!!” Because of the detailed nature of the email, the whale may not suspect the attacker is falsifying their identity.
Once trust has been gained, the attacker could try to get secret information from the whale. For instance, they could say, “Ay, I'm on the road, and I don't have my login for the VPN. Could you shoot it to me real quick?” They could also try to gain access to proprietary information by making a request like, “Listen, I put those blueprints on my laptop, but I am using my phone right now. You mind sending those over real quick? I gotta meet this deadline.” Because the whale believes the messages are legitimate, they may send over the information.
Whaling vs. Phishing vs. Spear Phishing
Phishing involves tricking someone into revealing sensitive information through an electronic communication. For example, the target may get an email from what appears to be a trusted source. The email may claim the target has to take quick action to rectify a problem. To do this, they must click a link in the email. This link brings them to a fake site that appears to be legitimate. It may have logos or fonts used by the real site it is trying to impersonate. The victim, while on the site, is prompted to enter their login credentials. What they enter goes straight to the attacker, who can then go to the real site and use the victim’s credentials to access their account.
This can be done with a bank or other financial account. The attacker may then transfer money to their own account or that of an accomplice.
Spear phishing is much like phishing, but it focuses on a particular victim. A phishing attack may use a list of email addresses, sending out the same communication—or similar ones—to everyone on the list. The attacker may also use details that pertain to the identity of the target to make the communication seem more legitimate.
For example, if the attacker were to see the person use an ATM at a certain location, they could include that activity in the email. They could say something like, “We noticed your card information may have been copied by a card-skimming device when you used the Chestnut Hill ATM on Grove St. yesterday at 12:07 p.m. Please click here to log in to your account and change your password.”
When the victim logs in, they enter their existing login credentials, which are collected by the attacker. When they change their password, nothing actually happens. The attacker could even try to change their password for real by using their correct login information.
Whaling is like spear phishing in that it involves a targeted attack. However, it is different because the attacker impersonates an associate of the victim to gain the victim’s trust. The act of impersonating someone the victim knows differentiates it from spear phishing and phishing.
Whaling Attack Examples and Statistics
The technology company Seagate, in 2016, was tricked into releasing the W2 forms of 10,000 employees. The whaling attack involved an email that requested copies of the employees’ 2016 W-2 forms, as well as other sensitive information such as their Social Security numbers, names, home addresses, and income. When HR complied, the information was sent straight into cyber criminals' hands.
Austrian aerospace parts manufacturer FACC was targeted in 2016 as well. The finance department sent $47 million to cyber criminals. This resulted in the CEO and CFO both getting fired.
The social media company Snapchat handed over payroll information of a selection of its employees back in 2016. Someone on the payroll team got an email from an attacker who pretended to be the CEO of Snapchat, Evan Spiegel. “Evan” requested payroll information, and the victim fell for the trick.
Protect Yourself from Whaling Attacks
The first step in protecting you and your organization from whaling attacks is to educate all potential targets, as well as those that may be used to try to gain access to them. Because this could include a large proportion of your company, it may be best to include a "how to avoid whaling attacks" discussion during a training on other types of phishing threats.
Avoiding whaling attacks begins with a shift in mindset. When you read an email from someone, you should ask yourself if you were expecting to receive a communication from that specific person. Also think about whether there is anything strange about the email, including not just what is being said but how it is being expressed, the use of punctuation, emojis, or anything else that seems out of the ordinary.
In some cases, it is very obvious that you are being targeted. For example, if the email address is plausible but not the typical email the person uses, that is a telltale sign. For example, if the person usually uses the email account JSmith@yourorganization.com, but you get an email from JohnSmith@yourorganization.com, you should beware. If there is no reason why John would have to get another email address, this one could be fake. Further, if the email has a name that makes sense but comes from outside the organization, that could also be a sign of danger.
In addition, executives need to be careful about what they post on social media. Details about their lives can be used to execute whaling attacks. If a high-level member of the organization gets an email that mentions things they posted on social media, it may be an attempt to gain their trust in preparation for an inquiry for information.
How Fortinet Can Help
Fortinet has developed FortiPhish, a service designed to increase awareness of whaling attacks and other kinds of phishing. It is available through the cloud and the Fortinet NSE Training Institute. The service involves continuous testing and simulations. The phishing techniques are based on information gleaned from FortiGuard Labs' knowledge of the most up-to-date phishing tactics being used by threat actors.
What is whaling in cybersecurity?
A whaling attack is a type of phishing attack where a particularly important person in the organization is targeted. It hinges on the cyber criminal pretending to be a senior member of the organization to gain the trust of the intended target.
What is whaling vs. phishing?
Phishing involves trying to trick someone into revealing sensitive information through an electronic communication. Whaling is different because the attacker impersonates an associate of the victim to gain the victim’s trust.
How do you recognize a whaling attack?
Signs of a whaling attack include unexpected communications from people in your organization, particularly if they come from a different email address or one from outside your organization. Also, any requests for sensitive information over email should be viewed with suspicion.