What is Whaling?

Phishing attacks are probably the most malicious form of cyberattack, mainly because they manipulate users into helping criminals reach their goals. Whaling cyber awareness is mandatory since this is one of the main shapes phishing attacks take.

Since their foundation builds on user manipulation and deception, phishing attacks come in several shapes and formats. Whaling is one of the most dangerous, also known as the “CEO Fraud.”

Read the article for more details on what whaling is and how to avoid them.


What is Whaling

Whaling, or whale phishing, is a highly targeted attempt at phishing. Unlike the traditional phishing methods, it aims to target high-level executives, like C-executives. It is digitally enhanced fraud that attempts to persuade its target to undergo some secondary action, such as initiating a wire transfer. Whaling could also take the form of cybercriminals posing as someone from the upper levels of management and deceiving the

Whaling has another name: CEO fraud. The technique is quite similar to that of phishing. The cybercriminal will attempt to convince the receiver to click on a virus link or take them to a fraudulently designed website to steal sensitive information and potentially gain remote access to their device.

The main difference between whaling and phishing is that phishing targets non-specific individuals and goes out as a mass email to many people. Spear phishing, which targets a group of people, is more closely related to whaling. It is a more focused approach of spear-phishing where it targets one person rather than a group of people.

Implications of Whaling

Now that we are improving our Whaling cyber awareness let’s look at some of its consequences.  

Monetary loss 

First and foremost, we have a relatively direct and obvious consequence which is Monetary loss. In a report by Phishlabs, around 22% of all phishing emails analyzed in 2015 were motivated by financial fraud or other crimes. The FBI also reported that companies lost about $215 Million, in 2014, to phishing email scams, with whaling being one of the highest preferred methods. From these examples, we can see that it is a severe threat, and companies should do all they can to prevent this from happening.

Data loss

Another potential consequence that could have significant implications is the loss of data. Cybercriminals tend to use whaling emails to gain access to sensitive information that only the user would possess. This way, they hold the information hostage and demand ransom or – worse yet – leak the data to the internet. Either way, the outcome isn’t a desirable one, and companies must avoid this. Furthermore, if they do fall victim to a whaling attack, the information is inaccessible, and they’d have to undergo many other steps to retrieve it. 

Reputation damage

Imagine a scenario where your bank just announced that a whaling attempt has happened, and they’ve lost all their customers’ data. You probably wouldn’t feel good about it and would wanna switch banks as fast as you can. This reputational damage is one of the consequences of a whaling attack. The firm would lose its current customers and lose potential future customers and business prospects, which would result in a loss far more significant. 

Some examples of whaling attacks

Whaling cyber awareness is necessary because these attacks have been around for quite a while and are still fooling some people. In 2016, an employee from Snapchat was deceived by an email that looked like the CEO had sent it. The employee disclosed all of the payroll information to the criminal, thinking they were communicating with the CEO. HR employees and members of the finance teams are usually the targets of such attacks as they tend to have the information that criminals desire.

Another prominent example would be the Scoular Company, a commodities firm located in Omaha. An employee sent around $17.2 Million to Chinese bank accounts. The perpetrators sent emails that made it seem like they were coming from the CEO, and they managed to steal the money.

In both cases, employees failed to recognize the attack and act on them, resulting in significant losses.

How to deal with Whaling attacks?

Companies need to do all they can to avoid them by looking at how imposing and devastating the consequences of whaling attacks are. The potential profits and reputation protection are immeasurable. Here are a few tips for you to keep in mind when dealing with whaling attacks;

Educate employees and yourself

Before you do anything else, it is essential to know from what you’re protecting yourself. Learning how to spot suspicious emails and what to do to avoid them goes a long way in protecting yourself. A study found that the click rate reductions ranged between 26% and 99% after employees underwent a phishing awareness program.  Every single employee needs to receive this training, from the lowest ranking employee to the CEO. No one should be exempt from taking up this training. 

Establish multiple-step processes for sensitive actions

Even if the request is legitimately from the CEO, it is essential to have multiple steps for sensitive processes such as transmitting crucial information and wire transfers. This process helps to establish authenticity and would significantly reduce the chances of fraud emails working. When there are multiple steps, the scammers would need to know what to do next, and for this, they’d need to collect much more secretive information, which would be harder to do. 

Discuss appropriate Social Media behavior 

Social media is like a gold mine for a cybercriminal as they can gather all relevant information that they would need to use against you during a whaling attack. Having a discussion with your employees on what they post on social media would help in reducing the personalization of these attacks, thereby reducing the effectiveness.

Build cyber culture and learn how to avoid whaling and other phishing scams today!