The internet’s greatest con, phishing, has evolved over the years, with attackers becoming increasingly precise in their methods. One such method that has risen to the surface is whale phishing. It’s like a souped-up version of the usual phishing tactics. Instead of casting a wide net, hackers target the big players within an organization – think CEOs, executives, and decision-makers.
The game's changing, and staying on top of it is more crucial than ever.
As the name suggests, whale phishing targets the corporate "big fish," focusing on high-profile executives to gain access to valuable company assets and sensitive information.
For instance, victims may be asked to:
Approve a financial transaction
Give the attacker network access
Modify payroll details
Disclose a proprietary trade secret
Install malware
Hackers trick top executives, like C-level ones, using emails, fake websites, and social engineering techniques. These include:
Whale phishing can sometimes be confused with phishing and spear phishing, but it's important to discern the differences.
Here's an infographic that explains the differences:
Hackers have come up with sophisticated methods to net high-value targets over the years. These whale phishing tactics can be classified into:
CEO Fraud: Email impersonation of CEOs, prompting urgent financial actions or sensitive data sharing.
Business Email Compromise (BEC): Compromising executive email accounts to initiate fraudulent activities like unauthorized transfers.
Vendor Email Compromise: Impersonating vendors via email to deceive executives into making payments or revealing sensitive information.
Vishing (Voice Phishing): Phone calls impersonating executives or authority figures to extract sensitive information.
Phone Verification Whaling: Following whaling emails with phone calls to verify receipt and emphasize urgency.
Lawyer Impersonation Calls: Phone calls posing as legal professionals, demanding urgent action or confidential information.
Gathering information from public social media profiles to craft convincing phishing emails.
Here’s a look at some cases over the years:
2008 whaling attack on financial executives: In 2008, The New York Times reported one of the earliest instances of a whaling attack targeting thousands of high-ranking executives in financial services companies. Executives received personalized fake subpoenas, seemingly from the U.S. District Court in San Diego, containing specific details. The email instructed recipients to appear before a grand jury in an upcoming civil trial.
2019 whaling attack on the city of Saskatoon: In 2019, the city of Saskatoon fell victim to a whaling attack, resulting in the transfer of $1 million to fraudsters. The attackers posed as the CFO of a construction company, using look-alike domain names and email addresses to convince the city to change their banking information.
2020 whaling attack on Levitas Capital: In 2020, Levitas Capital, an Australian hedge fund, suffered a whaling attack that led to a substantial loss of about $800,000. The co-founder of the hedge fund clicked on a fake Zoom link, initiating the attack and corrupting the system.
Here are some ways you can identify a whale phishing attack:
Preventing whale phishing requires strategic fortification.
This involves:
Employee training: Conduct regular data security training sessions for employees to educate them on the latest malware and hacking techniques. This makes it harder for cybercriminals to manipulate employees, especially those in important positions.
Antivirus software and tools: Invest in reliable antivirus and anti-phishing tools that offer features like spam filtering, malicious file detection, and URL monitoring.
Data protection policies: Establish comprehensive policies outlining guidelines to safeguard company information. These may include restrictions on sending files to personal email accounts and recommendations to avoid public Wi-Fi.
Social media guidance: Provide executives with clear guidance on securely managing their social media accounts to prevent information exposure. Executives, being prime targets, need awareness to avoid falling victim to whaling and other social engineering attacks.
Link and sender verification: Encourage double-checking hyperlinks in emails by hovering over them to review the full URL. Additionally, educate employees to avoid clicking suspicious links and instead go directly to the relevant site for a credible link.
Minimal account creation: Discourage unnecessary account creation by employees, minimizing the exposure of personal information online. Emphasize signing up for platforms and accounts only when essential.
Protect personal information: Stress the importance of personal information protection, both on social media and in online company bios. Advise employees to avoid oversharing and empower them to adjust privacy settings.
Regular software updates: Ensure regular updates for devices, applying the latest security patches to prevent hackers from exploiting vulnerabilities. Enabling automatic updates simplifies the process.
Have clear steps in place for responding to a suspected whaling attack:
Disconnect from Wi-Fi: Immediately disable Wi-Fi to halt the spread of potential malware.
Back up Data: Regularly back up data and store duplicates on external drives.
Password Reset: Reset passwords if a compromise is suspected, and consider enabling two-factor authentication.
Hardware Scanning: Utilize security software to scan and remove any malware hidden in the system.
If a whaling attack occurs, it's important to learn how to report phishing and online scams properly.
As organizations navigate the uncharted waters of whale phishing, understanding the depth and sophistication of these attacks is crucial. By investing in advanced cybersecurity measures, keeping the team vigilant, and staying ahead of evolving threats, businesses can navigate the challenges and emerge resilient in the digital landscape.
Here's a checklist on how to avoid whale phishing attacks: