Skip to content

Whaling in 3 simple points: What is it, how does it work, and how can you protect yourself?

Whaling is a form of phishing attack which is incredibly dangerous for companies of all sizes. Classic phishing attackers focus on quantity and the highest number of fake messages possible. Whaling attackers pick their targets carefully. They aim and harpoon their chosen “whale” precisely, rather than catching a lot of small fish with huge fishing nets. Organizations can lose sensitive information and a lot of money as a result of it. So what should you be looking out for?

1.     What is it exactly?

Whaling is a special sort of phishing attack, which is closely targeted at senior corporate employees. The attacker pretends to be their superior, who demands employees’ sensitive information or a financial transfer in a seemingly official email request. Or the attacker might simply send malicious malware hidden in a supposedly work-related attachment.

Whaling uses similar methods to traditional phishing, i.e. e-mails, unsecured links, or so-called “web spoofing“, where fake websites are created to look as official as possible in order to lure you into entering your sensitive information. E.g. they can lead the victim to a page that is identical to the corporate one, where an unsuspecting user then enters their login details. This will allow attackers to enter the company's system, from which they can steal important information on a large scale.

Whaling adds another level of sophistication to social engineering given the underlying psychology in play. Most employees are afraid to fail their superiors. These attacks are also successful because it’s much easier than it used to be to gain access to personal information from both individual employees and company directors through social networks like LinkedIn or Twitter. It is not a problem for capable attackers to write and send a message which seems credible based on that internet data alone.

2.     Why does it work?

One of the reasons why whaling is difficult to detect is, among other things, that its scope is much smaller than in traditional phishing, where it’s easier to detect a cyber-attack because millions of these e-mails are sent through botnets. People targeted by whaling are carefully chosen and the number of e-mails sent is relatively limited. Given the goal of whaling, ie potential for obtaining crucial corporate data and large amounts of money, the attackers can afford to be much more precise with their preparation.

Because of this, not that many cases have been detected so far. Although it is clear from the published data that whaling is definitely a growing trend and a great danger. For example, in November last year, co-founder of the Australian hedge fund Levitas fell victim to whaling, when he clicked on a fake link to a  Zoom meeting that installed malware on his computer, costing the company 800,000 dollars. However, the actual loss is estimated at almost nine million dollars. But most importantly, the cyber-attack, which went public soon after it happened, caused Levitas their reputation and trust. The hedge fund lost its largest investor, who has planned to invest 16 million dollars. The loss of this investment led Levitas to close permanently. Whaling is not only a cybersecurity danger, it has real-world consequences.

Attackers usually select senior employees, and more likely sales rather than IT, because these non-technical managers are generally more likely to be unaware of the basics of cybersecurity. Last but not least, these fake e-mails usually contain the company logo and often also the phone number and personal information of the superior whom the attacker pretends to be. The attackers usually have realistic requirements and do not try to push to gain access to internet banking in the first communication, so they don’t seem suspicious. More often than not, they send a malicious file that contains a keylogger (software that scans keystrokes), for example.

3.     How can you protect your company?

In order to protect your company against whaling, it is absolutely essential that all employees are aware of its dangers so that they are cautious and careful when dealing with important emails which could be fake. All employees should be aware of the risks involved when sharing sensitive information.

Another means to protect against whaling is to introduce two-factor authentication when sending important information. In case of suspicion, verify the factuality of the received message, for example by calling the colleague who is allegedly sending the request.

Your company's IT department can also help with prevention easily and efficiently. It can differentiate all emails which do not come from the company’s network, immediately revealing that it was not a real supervisor who sent the e-mail. IT staff should also regularly send fake whaling e-mails to company employees to test whether they would fall for this attack from an actual attacker. This will help employees in case they are faced with a real attack. They will think twice about what messages they will trust after having the experience of losing data during a security drill.

Network-based security is ultimately the best prevention  

Human-level prevention is a vital backbone of any company's cyber security. However, the basis for complete peace of mind is a sophisticated security architecture, the layers of which, together with conscious employees, will reduce the level of any risk to the lowest values possible.