What is whaling?

James Dyer | 6th Jun 2023

Enhancements to network security within organizations have made it harder for threat actors to penetrate networks and systems. As a result, people have become the primary target for cyberattacks, with email providing the most effective mechanism for launching these attacks. This leads to all employees within an organization being frequently targeted by phishing attacks.

Whaling is a type of targeted phishing attack directed at C-suite executives, directors, or other high-level employees with privileged access to sensitive data or authorization to initiate actions, including large wire transfers. In essence, it is going after the ‘big fish’ (or whales) of an organization.

As part of the attacks, cybercriminals will typically convince their target to authorize a fraudulent wire transfer, share financial information, such as credit card details, click a web link to a phishing website and input credentials or other sensitive information, or download a file containing malware or ransomware.

The difference between phishing, whaling, and spear phishing

The term ‘phishing’ encompasses multiple attack types, including spear phishing and whaling. The differences between the three are as follows:

  • Phishing: The general term for any malicious email that attempts to convince someone to complete a secondary action, such as downloading a malware file, submitting credential data, or disclosing financial information. While this is the category name for all types of email-borne attacks, it also usually refers to a mass attempt that targets multiple people at once with the same content.
  • Spear phishing: A phishing attack that targets a specific person or group of people with tailored or personalized content, often using OSINT to increase its credibility.
  • Whaling: A type of spear phishing that specifically targets executives, directors, and other managers at a company who have access to critical information, authorization to perform certain actions like large payment transfers, or admin privileges to network or application systems.

Opportunistic, volume-based phishing attacks have lower individual success rates when compared to targeted attacks such as whaling. Phishing accounts for 41% of all cyber incidents, and 62% of phishing attacks are spear phishing. Additionally, 59% of organizations report that their executives have been targets of a whaling attack.    

How does whaling work?

Prior to launching whaling attacks, threat actors conduct open-source intelligence (OSINT) to ensure the attack appears legitimate. Whaling attacks commonly contain the below features in the email content:

  • Personalized information about the organization and targeted individual
  • A sense of urgency and repercussion if action isn't quickly taken
  • Common business jargon used by the organization or in the industry

Since whaling is hyper-targeted, an attacker can make use of compromised accounts and impersonation to make the email appear like it comes from a trusted source, like a colleague, supply chain partner, or a spoofed email address. Cybercriminals exploit existing trusted relationships or combine the attack with non-cyber tactics. For example, an attacker may follow up a whaling email with a phone call to confirm the request, adding to the perceived credibility.

Real-world whaling example

In November 2020, an Australian hedge fund Levitas Capital shut its doors due to a successful whaling attack. The attackers took aim at Levitas Capital’s co-founder Michael Fagen, creating a phishing email that looked like a legitimate Zoom invite. Fagen clicked on the link, which installed malware onto his computer.

The criminals then watched how the company conducted business and used this information to act as representatives of the company and reached out to APEX (the firm’s fund administrators). The bad actors provided account details for Apex to transfer $1.2m, Apex then asked Fagen to confirm the transfer. Due to their access, the hackers were able to intercept the email from Fagen declining the payment and sent an email confirming it, and so the money was transferred.

After their success, attackers sent additional invoices for $2.5m and $5m, both were unsuccessful. Despite Levitas Capital stopping the later attacks, the reputational damage was irreparable, and the firm lost investors causing them to collapse.

How to defend against whaling attacks

Defense against whaling attacks involves increasing employee awareness and deploying the right email security, such as an integrated cloud email security (ICES) solution. Due to the extremely targeted and convincing tactics cybercriminals use for whaling, it is highly unlikely people will detect these attacks without the help of technology.

Egress Defend protects organizations from whaling and other phishing attacks. It uses machine learning (ML) and natural language processing (NLP) to understand common traits of a whaling attack and ultimately identify malicious emails, including ones sent from compromised accounts. Defend will apply heat-based warnings to whaling and other phishing emails to educate users through real-time teachable moments, increasing employee awareness.

In addition to implementing an ICES solution, organizations and employees can:

  • Use awareness training: Train executive leadership on the signs of potential whaling, what to do if targeted, and the tools they can use to prevent successful attacks.
  • Be sensible on social media: Since social media is part of the OSINT framework, employees should be wary of what information they post publicly and which profiles they connect with on the platform.
  • When in doubt, double-check: Since email accounts can be spoofed or compromised, employees should verify the request with the sender through alternative channels.