Although whale phishing isn’t anything new and existed since the early 90s, the FBI reports an increase in cyberattacks in recent years, specifically phishing attacks. With many companies going remote following the COVID-19 pandemic, there’s been rising numbers of phishing attacks executed.
Google reported blocking more than 250 million COVID-19 related phishing email accounts, with nearly 18 million COVID-19 related emails sent to various victims across the world in April 2020. During the pandemic, cybercriminals increased their attack activity, including with exploits such as phishing.
With the increased rise in phishing attacks over the world, individuals and companies must be more diligent than ever to protect against specific types of attacks such as whaling attacks. With that in mind, let's take a closer look at all there is to know about whaling phishing attacks and best practices to protect against these types of attacks.
What is a whale phishing attack?
Whale phishing attacks are simply an advanced phishing attack. Whaling in cybersecurity is a subset of phishing attacks which utilizes a specific targeting method, created by cybercriminals to impersonate a specific member of a company or organization.
Attackers then target the respective companies to steal classified information or convince the victim to wire money or gift cards to the impersonator. The fact that attackers do not need any special technical knowledge to carry out whaling attacks makes them more common than other exploits. Oftentimes, these attacks are very hard to detect with automated tools but some warning signs can be found with a close eye.
Definition of Whale Phishing
According to Micro Trends, the definition of a whale phishing attack is a phishing attack “specifically aimed at wealthy, powerful, or prominent individuals. Because of their status, if such a user becomes the victim of a phishing attack he can be considered a ‘big phish,’ or, alternately, a ‘whale.’ Whale phishing involves the same tactics used in spear-phishing campaigns.”
Usually, a whaling attack targets senior members in a company such as the CEO or other c-suite executives. Through this approach, attackers aim to exploit the individual’s power at an organization due to their position and yield financial gain or access to the classified information.
The use of whaling emails and malware-infected websites are two of the most notorious whaling methods used to perform these attacks. Oftentimes, the attacker’s aim is not to establish communication with the victim, they instead send website links infested with malware directly to potential customers or employees to leverage the individual impersonated power in a corporate structure for access.
Whaling Versus Phishing?
Whaling, a subsidiary of phishing, operates similarly but with a more strategic approach to the attack execution. Unlike phishing which is a general term for every attempt to con victims into sharing sensitive information using a non-specific target, whaling instead utilizes a specific target, likely a top executive in the organization.
Examples of Whale Phishing Attacks
An employee of a firm with plans to expand to China mistakenly thought a whaling email came from his boss, when he wired $17.2m to an attacker. This attack captured the FBI’s attention, which worked closely with the firm to recover after this exploit took advantage of an inattentive employee.
In 2006, cybercriminals posing as the CEO were able to convince an employee of Snapchat through a whaling email. While the company publicly accepted the fallout from this exploit, they also warned others on how to best protect against phishing and specifically, whaling attacks.
How to Protect Against Whaling
When it comes to whaling attacks, cybersecurity awareness and best practices from all employees becomes critical. While automated solutions will help to filter out some phishing email attempts, these automated solutions simply will not suffice absolutely. Instead, regular and informative cybersecurity education programs provide a better solution when it comes to combating phishing attacks.
Educate Employees on Whaling
Top executives and directors almost always become the target of a whaling attack, but it takes convincing of the email recipient to make the attack successful. Employees of the company must be properly trained to avoid phishing and whaling attacks. Oftentimes, the employees will be the party receiving the whaling emails. With this in mind, educating employees about the different phishing methods used by cybercriminals can help identify when they receive a malicious email.
This tip can also apply to educating your family about the dangers of phishing attacks and how to avoid them. For children, this children's ABC AppSec Guide can help simplify the conversatation!
Keep Sensitive Information Private on Social Media
Social engineering is a very important factor in carrying out phishing attacks, as cybercriminals need to create a perfect profile to convince the victim. Most of this information used by cybercriminals for the attacks can be found from the victim’s social media accounts. Therefore, top executives and directors in companies who are high-risk targets for phishing attacks should be careful about the information shared. Furthermore, whenever possible, place privacy restrictions on who can access information on their social media pages without being a direct connection.
Double Check Sending Address
Most of these whaling emails come with a matter of urgency, in an attempt to force the victim to act without time to verify. Understanding this particular characteristic of a phishing email empowers employees to avoid falling into their trap.
With this in mind, both employees and top executives within an organization should partake in regular training on how to properly verify when they suspect a phishing email has been sent to them. This can be as simple as calling the impersonated individual before acting on the email.
Adopting special security systems to flag down any form of whaling or phishing attacks is another proven way to help avoid these types of attacks. While these tools are not perfect, automated email scanning tools help companies stay proactive in their efforts to avoid phishing attempts. To this point, employers should give employees explicit instructions about how to double-check URLs and email addresses before accessing them from a company computer and risk sharing private information with attackers.
Techniques to Improve Cybersecurity Awareness
Penetration Testing Program
Pentesting, also known as penetration testing, involves carrying out simulated attacks on networks, to pinpoint weaknesses in the security system and avoid real cyber attacks. These proactive tests can simulate whaling IT attacks on a company’s system using common whaling practices, to pinpoint any form of weakness from both the system and the employees.
Organize Cybersecurity Training
Organizing training to expose employees to the inner workings of a phishing attack to help them be proactive. These training sessions also empower employees to be able to identify this attack should they ever be the target of one. When using this method, be sure to do so with the employee experience in mind, unlike GoDaddy did with their holiday phishing email test in 2020 and this can be a perfect way to test your company's current security posture in regards to phishing attacks.
Finally, set up specific guidelines for how employees can protect their private data from social engineering attacks. Companies should proactively provide their teams with guidelines and outlined processes to follow for proper verification before even simply clicking into a suspicious email link.
Within these guidelines, it’s best to encourage your team to question whenever they doubt the legitimacy of an email through a company wide communication channel. This will help employees see other phishing attempts and avoid them, while also providing your security team the ability to review phishing emails at a faster speed and catch anything urgent.
In closing, remember whaling attacks are hard to detect until it has been successfully carried out and costly both on the companies finance and reputation. Companies operating remotely should take extra care to ensure their systems are protected against phishing attacks. By employing these cyber awareness practices, your company will be able to curtail these attacks.
Furthermore, if you want to take your company's cybersecurity to the next level, click here to learn more about the benefits of regular pentesting program.