A whaling attack is a type of phishing attack that targets senior executives. The act of whaling is usually perpetrated via email and involves deceiving victims into initiating actions that put the organization and its assets at risk.
Let's explore how a whaling attack works, why executives are targeted, examples of successful whaling attacks, and steps you can take to prevent them.
How a whaling attack works
Whaling attacks use information from a variety of sources—including the public domain (social media and corporate websites) and the dark web—to deliver highly personalized phishing emails to executives.
If attacks are successful, cybercriminals can plant malware and move laterally across the organization. They can also hijack an executive’s email, masquerade as them, and instruct unsuspecting employees to grant access to the company’s sensitive data or transfer funds.
Whaling attacks are relatively simple in their design. Like spear phishing, whaling emails incorporate hyperlinks or a malware attachment. However, whaling is more targeted than spear phishing, often involves impersonation, and the returns can be much greater (hence the term “whaling”).
Whaling emails can also form part of an integrated campaign. For instance, to sway an executive into believing the communication is genuine, a threat actor might follow up an initial email with a phone call to force action, such as clicking on a link.
Why attackers target executives
According to the 2023 Verizon DBIR, Social Engineering incidents, like phishing and whaling, have increased from the previous year largely due to the use of pretexting, which is commonly used in Business Email Compromise (BEC)—almost doubling since last year. Compounding the frequency of these attacks, the median amount stolen from these attacks has also increased over the last couple of years to $50,000.
Why go after executives? Consider the following:
- Digital access: Your organization’s C-suite and board of directors hold the keys to the kingdom. They have almost unfettered digital privileges that give them permission to view, edit, delete, and move a wealth of data, including sensitive information that attackers can exploit.
- Authority: Executives also have the digital authority to authorize actions, such as adding new vendors and wiring money.
- Mixing business and personal: Executives often, if unwittingly, bypass corporate security controls to save time, such as using insecure personal email to access files, systems, and applications.
- Persistent connectivity: To conduct business, executives frequently use vulnerable home networks and public Wi-Fi, putting them at risk of man-in-the-middle phishing attacks.
With so much going on and so much at stake, it’s not surprising that security teams lack confidence in their executives’ abilities to defend against cyberattacks on their devices, systems, and home network—despite cyber threats ranking as a top concern for boards.
Examples of whaling attacks
Whaling attacks often go unreported due to the fear of damage to a business’ reputation—no one wants to disclose that an executive fell for a scam. But government regulations require certain companies and government agencies to report cybersecurity incidents, including whaling.
A notable example of a publicly-disclosed whaling attack was storage device manufacturer, Seagate. In 2016, a spokesperson confirmed that a Seagate employee received what appeared to be a legitimate email from the company’s CEO requesting W-2 data for all current and former employees. Believing the request to be genuine, the staffer released the personal data of thousands of employees to cybercriminals.
In a separate campaign, employees from Inc. and Fast Company publisher Mansueto Ventures and social messaging platform Snapchat were victimized by the same whaling attack. During the scam, attackers exposed employee wage information and social security numbers that were used to file fraudulent tax returns.
How to prevent whaling attacks
Preventing whaling attacks involves a multi-pronged approach. Follow these tips to protect your executives and your organization.
1. Ensure executives receive cyber training
Conduct regular one-on-one briefings to educate senior executives on the risks and threats they face, such as spoofing, phishing or executive fraud, whaling, and man-in-the-middle attacks—and the actions and environments that put them at risk, such as public Wi-Fi, social networks, and home networks. Ensure they have a direct line to a security resource 24/7 so any suspicious activity can be assessed and mitigated.
2. Implement multi-factor authentication
Add layers of security by requiring two-factor authentication for devices, applications, systems, and networks. This will ensure that systems will remain secure in the event an employee’s password or credentials are leaked.
3. Manage privileges
Audit security controls to ensure that only those who need access to a system, application, or database have access to it. Managing privileged access supports zero trust security and can ensure strict governance over sharing of privileged accounts, prevent impersonation attacks, and protect sensitive data.
4. Install anti-phishing software
Anti-phishing software has grown in sophistication. For example, AI-based tools directly integrate into email environments and intelligently watch current and past email activity to detect anomalous or atypical communication patterns, then block those patterns before they reach their intended target.
5. Practice vendor due diligence
Any time an employee seeks to procure a service from a third-party vendor—whether the party appears legitimate or not—that entity must be vetted by your security, legal, and risk management departments and a determination made as to whether a formal contract is required. This is particularly vital whenever access to data or corporate assets is requested.
Security teams should also assess the security posture of each vendor during onboarding and for the life of the relationship. By implementing vendor due diligence and risk management, you can prevent the breach of sensitive information you share with vendors and the downstream propagation of malware via vulnerable vendor networks.
6. Continuously scan every endpoint
As your digital ecosystem expands to the cloud, remote users, and geographies, discovering and protecting network entry points has become extremely challenging. Give IT teams the resources they need to better understand your organization’s external attack surface and discover any vulnerabilities that attackers can exploit for whaling and other cyberattacks.
These include misconfigured security controls, open access ports, and unpatched systems (software updates often contain new security protections that can close security gaps). Then, automatically and continuously monitor your digital environment for emerging vulnerabilities so that you can act quickly and proactively the moment new risks are discovered.
7. Monitor user behavior
To secure the network against phishing attacks, use tools that detect anomalous user behavior or shadow IT–such as downloading unsanctioned software–on a continuous basis. This can prevent vulnerabilities from creeping into the network.
Keep a weather eye on the horizon
Don’t get sunk by a whale! Take a layered approach to security—one that encompasses people, processes, and technologies—so you can quickly and proactively hunt down and harpoon any whaling threat and sail your organization and executives safely to calmer waters.
To elevate cybersecurity awareness in your organization, download our ebook: The Secret to Creating a Cyber Risk-Aware Organization.