What is a Whaling Attack?
A whaling attack is a security exploit that targets executives and high-level decision-makers within a specific organization. In this type of spear phishing attack, the attacker purposely seeks out “big fish” who have the authority to perform a specific action on behalf of the attacker.
For example, the victim may be asked to:
- Authorize a financial transaction.
- Grant the attacker network access.
- Change payroll information.
- Ship something valuable to another location.
- Divulge a trade secret.
- Install malicious software (malware).
Ordinary phishing attacks cast a wide net; the attacker typically purchases a list of email addresses or mobile phone numbers and sends the same email or text message to thousands of people at the same time.
In contrast, whaling email and text messages are tailored for a specific recipient. Cybercriminals who employ whaling as an attack vector spend a lot of time researching the targeted organization to understand the company’s reporting structure and figure out which big fish (whale) has the power to carry out the attacker’s desired action.
Popular C-level attack victims include:
- Company Presidents
- Company Vice Presidents
- Corporate comptrollers
- Corporate Human Resource Managers
- Chief Executive Officers (CEOs)
- Chief Financial Officers (CFOs)
- Chief Information Officers (CIOs)
- Chief Technology Officers (CTOs)
- Chief Operating Officers (COOs),
- Chief Revenue Officers (CROs)
- Chief Procurement Officers (CPOs)
- Chief Legal Officers (CLOs)
- Chief Supply Chain Managers (CSCMs)
In some countries, whaling is considered to be a type of business email compromise (BEC) attack and may also be referred to as CEO fraud or VIP phishing.
How Whale Phishing Work?
It’s not unusual for a whale phisher to spend weeks – or even months – researching potential victims before initiating an attack. They’ll use publicly-available information and social engineering tactics to learn as much as possible about their target.
Sometimes an attacker will even conduct tests to determine which communication channel their target prefers to use. For example, the attacker may pose as a secretary who works for a trusted vendor and call to see if their target answers their phone personally — or they may pose as a former employee and send the target an innocuous email or text message to confirm the victim’s email address or mobile phone number.
Here is an example of how a whaling attack might work:
- The attacker impersonates company ABC’s Chief Executive Officer and sends an email to ABC’s Treasury director. The email appears to have been sent internally and references something the CEO has talked about in the past.
- The email explains the CEO is traveling and just had lunch with their competitor’s new CFO. It goes on to say that the Chief Financial Officer accidently revealed his new employer is having cashflow problems and needs to sell their new jet as soon as possible.
- The CEO explains she doesn’t want to miss out on the opportunity to purchase the plane and asks the Treasury director to wire $3 million to account X as soon as possible.
- The Treasury director knows her company has wanted to purchase a company plane for some time, but the last jet they looked at cost $5 million. $3 million for an almost-new plane sounds like a good deal. The Treasury director wires the money.
- A few hours later, the real CEO walks by the Treasury director’s office. It turns out they were not traveling and did not request a wire transfer. Company ABC just became another whaling attack statistic.
Examples of Successful Attacks
The example above is not too far from the truth. Something similar happened to toy manufacturer Mattel — even though the company’s protocol required two sign-offs for wire transfers.
Aerospace manufacturer FACC also became a whaling statistic when someone in their finance department received an email they believed was from the company’s CEO. The email, which looked legitimate, requested the recipient to immediately wire €42 million to a specific account so the CEO could close an important business deal. The employee, believing the email they received was from the CEO, proceeded to transfer the funds. By the time the company realized the email was fraudulent, the attacker was long gone.
In 2020, the co-founder of Levitas Capital became a victim of a whaling attack when he clicked on a Zoom link that installed malware on the company’s network. Once the network was compromised, the attacker was able to move laterally, gain more access privileges and eventually trick the company’s trustee into approving payments for bogus invoices.
Consequences of a Successful Attack
Mattel is the only company in the examples above to escape consequences — and that was pure luck because the funds were transferred at night and the next day in China was a bank holiday. Mattel was able to contact the police in China before the attacker could withdraw the funds and get their money back.
FACC and Levitas Capital were not so lucky. FACC’s CEO and CFO were both fired when it was determined their money could not be recovered, and Levitas Capital was forced to close its doors after they lost their money, because investors no longer trusted the hedge fund.
How to Prevent Whaling Attacks From Being Successful
C-level executives have proved to be lucrative attack targets because they have superuser access permissions for a wide variety of information resources and the authority to approve last-minute transactions. Ironically, these same individuals are rarely forced to participate in HR training sessions for security awareness.
To minimize the risk of a whaling attack, organizations should invest in strong security policies and procedures and encourage a culture of security awareness and verification. Here are some practical measures that can help prevent a whaling attack from being successful:
- Implement a policy that requires employees to double-check and verify any unusual or unexpected requests for sensitive information or financial transactions, especially if they involve high-level executives.
- Mandate security awareness training on a regular basis for all employees, including C-level executives.
- Implement multi-factor authentication (MFA) and regularly review access privileges to enforce the principle of least privilege (PoLP) at every level of the organization.
- Develop and practice a comprehensive incident response plan to help ensure whaling attacks are quickly identified and mitigated.
- Deploy security mechanisms that will prevent unauthorized users from running whoami and other command-line utilities.