What exactly is whaling?

by Egress
Published on 25th Jun 2021

Phishing. Spear phishing. Whaling.

No matter which method cybercriminals use, they only have one mission in mind: to steal data. With more and more people working from home, these cyber attacks are on the rise, making businesses and their customers vulnerable.

Find out everything you need to know about whaling attacks in this article, and learn how you can keep your data safe online.

What is whaling?

A whaling attack is a highly targeted form of phishing where a cybercriminal impersonates high-profile individuals, like CEOs and directors, to steal sensitive information from other executives within the company.

C-suite executives will have enhanced access to multiple systems and therefore are gatekeepers to a wealth of business-critical information. They also have the internal authority to carry out actions like payment transfers, making them valuable targets. 

Fraudsters will snoop through their social media and company websites to find the personal information they need to craft believable fraudulent emails. They’ll then contact a close colleague of the victim (of a similar rank) to manipulate them into disclosing private information.

Whaling vs spear phishing vs phishing

Phishing is the generic term for any kind of email scam, and it has been around since the 1990s. Phishing scammers cast a wide net — targeting individuals at random, with a very low success rate. Their emails often contain general information and are easier to spot.

Spear phishing is a more sophisticated form of phishing that targets a specific individual. Whaling falls under this category, the only distinction being that whaling scams aim to reel in the “big phish” in a company.

Whaling is usually strategic, planned, and well-researched due to its high-risk, high-reward nature — making it particularly dangerous.

How does whaling work?

The key motive behind a whaling attack is to manipulate the actions of a senior party within an organisation by impersonating another. Email is the most common way that cybercriminals approach their victims. A whaling email attack might involve an email containing a malicious link. After clicking on the whaling link, you’ll be taken to a fake — albeit realistic — website and asked to provide your login credentials.

If you fall for the trick, the fraudster will have access to your credentials, compromising your whole account and giving them access to the data stored locally and in any systems that you use the same credentials for. 

Alternatively, as whaling attack victims usually have the authority to authorise money transfers, a cybercriminal might send fraudulent invoices or ask for wire transfers. 

Finally, whaling attacks can be used to deliver malware (including ransomware) through malicious attachments or links that send the victim to a site where malware will be downloaded.

These emails are getting harder to spot, as whaling fraudsters invest time in designing the perfect email to catch you off guard. These emails might:

  • Contain personalised information about the organisation and individual that’s under attack
  • Come from ‘trusted’ sources that have been compromised, for example, an email account of a supplier that a cybercriminal has already compromised
  • Convey a sense of urgency and a repercussion if action is not taken quickly
  • Use appropriate business jargon and tone for higher success rates.

In recent years, there have been a number of high-profile whaling incidents. For example, both Seagate and Snapchat employees fell victim to whaling scams in 2016. An email, seemingly sent by the CEO, led to a mass data leak of employees’ private salary and tax information. 

In the age of GDPR, all eyes are on data security, so it’s critical to keep you and your organisation’s data protected against these immense cyber threats.

How to stay protected against whaling attacks

Due to the current remote working trend, whaling attacks are becoming more common. In fact, according to the UK government’s Cyber Security Breaches Survey 2020, one in four businesses experienced a targeted impersonation attack in the last 12 months.

Businesses must take the appropriate steps to ensure they are protected against these cyber attacks — or risk facing reputational and financial damage:

1. Raise cybersecurity awareness

The best defence against whaling threats is to educate key individuals in an organisation to ensure they’re always on guard about the risk of being targeted. 

For example, by encouraging senior staff members to proceed with caution when dealing with any email requesting sensitive information — even if it has been seemingly sent by an executive within their own business or from a trusted third party. 

2. Use social media sensibly

Whaling is incredibly successful because cybercriminals impersonate someone who you know and respect. Fraudsters often find this information by diving into social media profiles, uncovering who you interact with and your company updates.

Think twice before posting private information on social media, as threat actors could use it to their advantage. 

3. Be wary of links and attachments

As with all forms of phishing, a good way to stay safe online is to stay cautious. If you receive an unexpected email (even if it’s seemingly from a senior member of your organisation) with links or attachments, don’t click. Instead, look for other signs of phishing and determine whether it’s a threat.

4. Invest in cybersecurity solutions

Ensure that your anti-malware software is up to date and set up your spam filter to limit the number of dangerous emails you receive. If you want to take an extra step towards full protection, invest in a solution like Egress Defend, which will keep you one step ahead of any scams, educating you along the way.

Egress Defend uses machine learning and natural language processing to analyse the content and context of emails, meaning it can spot sophisticated targeted attacks such as whaling, even when an attack comes from a compromised supply chain account. 

Learn more about phishing to stay safe

Cyberthreats are constantly evolving and becoming harder to spot. Explore our phishing hub to learn more about other forms of phishing scams and the risk they pose to data security. 

You might also be interested in ...

Been phished? Here’s what to do right now

Fallen for an attack? Don't panic - follow these ten steps to mitigate the damage. 

The psychology of social engineering and phishing

Why do we fall for phishing attacks?

Ransomware: 2022's top attacks and need-to-know stats

Learn about the top ransomware attacks we’ve seen so far in 2022, and take a look at some important statistics.