Whaling, or whale phishing, is a common cyber attack that occurs when an attacker utilizes phishing methods against high-level executives such as the chief executive officer or the chief financial officer in order to steal sensitive information from a company or to lure the victim into making a wire transfer.
Cybercriminals may use social media to gather personal information about their victims to create emails and websites that are personalized, and often incorporate the target’s name, job title, or other relevant information. This level of personalization makes it difficult to detect a whaling attack.
While phishing targets non-specific individuals and may be in the form of a mass email to many people, whaling targets a specific person or only high-level executives.
Implications of Whaling
In a report by Phishlabs, 22% of all phishing emails analyzed in 2015 were motivated by financial fraud or other crimes. The FBI also reported that companies lost almost $215 million, in 2014, to phishing email scams, with whaling being one of the highest preferred methods.
Cybercriminals use whaling emails to gain access to sensitive information that could be used for ransom or a data leak.
Any data leak of personal information can easily damage a company’s reputation resulting in a loss of customers or revenue, especially in whaling cases, where the target is a high-ranking officer of the organization.
Some examples of whaling attacks
In 2016, an employee from Snapchat was deceived by an email that looked like the CEO had sent it. The employee disclosed all of the payroll information to the attacker.
An employee of Scoular Company, a commodities firm located in Omaha, transferred $17.2 Million to a Chinese bank account. The perpetrators sent emails that made appeared to be from the company’s CEO.
How to deal with Whaling attacks?
Educate employees and yourself
Learn how to identify and protect yourself from suspicious emails. A study found that the click rate reductions ranged between 26% and 99% after employees underwent a phishing awareness program. Whaling attacks show that the need for Security Awareness also goes up to the C-level suite.
Establish multiple-step processes for sensitive actions
Companies should incorporate systems that require multiple-step processes for transmitting crucial information and initiating wire transfers. This process helps to establish authenticity and may significantly reduce the chance of falling prey to fraudulent emails.
Discuss appropriate Social Media behavior
Social media posts can help a cybercriminal gather relevant information to be used in a whaling attack. Educating employees about information that should not be disclosed on social media sites may prevent cybercriminals from using this information in a phishing attack.