Spear phishers are baiting their hooks for “big phish” with access to highly valuable corporate information, a strategy known as whaling, CEO fraud, or executive phishing.
Whaling can work like this: The malicious actor targets a high-profile C-level executive within an organization and conducts extensive research about them by trolling the internet, social media platforms, and corporate websites.
They will then use the information they gather to craft a highly personalized and convincing email that appears to come from a trusted source within the organization, such as the head of the ICT department.
The email may instruct the target to click on a provided link to verify their corporate account or change their password. In reality, the link will install malicious software or lead to a fake pop-up designed to capture the target’s login credentials when they attempt to change their password.
Once the target completes the attacker’s desired action, they are free to explore the corporate network and collect the information they need to conduct additional unauthorized activities. This might include stealing sensitive corporate data, compromising financial transactions, conducting espionage, or even launching further targeted attacks within the network.
Whaling and phishing aren’t new, but the threat isn’t going away. That’s why it’s up to companies to take the lead in reducing their own risk.
Phishing, Spear Phishing, and Reeling in a Whale
Phishing attacks go way back, and if you use email, you’ve probably been exposed to a few yourself. In phishing attacks, hackers use email or malicious websites to solicit personal information by posing as trustworthy organizations, such as government organizations or financial institutions. This allows the attackers to request sensitive information. When the user responds with the requested information, attackers can use it to gain access to a user’s bank account or steal his or her identity, among other crimes.
Phishing emails, unlike spear phishing and whaling emails, are sent out in bulk, often thousands at a time. Therefore, they are targeted at a general audience. Cybercriminals use this high-volume approach in the hope that a few unfortunate people will take the bait.
Spear phishing is a more targeted phishing attack. It can be used on its own or as part of an advanced persistent threat (APT) campaign. Instead of casting out thousands of emails in the hope of finding a few victims, spear phishers target select groups of people with something in common – they work at the same company, bank at the same financial institution, attend the same college, or order merchandise from the same website. The emails are ostensibly sent by organizations or individuals the potential victims would normally receive emails from, making them even more deceptive. This targeted approach can make spear phishing more effective and, therefore, more damaging for its victims.
Whaling takes things one step further. Whaling is a spear phishing attack targeted at senior corporate executives and business owners. The attacker may take months to research the company and find out as much as possible about the potential victim in order to craft the email in a way that seems legitimate to the recipient. Senior executives and business owners are targeted because they tend to have access to the most sensitive information within the company. Once their computer is compromised, the attackers have virtual carte blanche. And for the company, that is very bad news.
Examples of Whaling
One example of a particularly successful whaling campaign occurred in 2008 and involved sending official-looking subpoena emails to 20,000 senior corporate executives. The email indicated that the recipient was required to appear before a federal grand jury and contained the full name, company title, phone number, and other pertinent information to trick the recipient into believing it was legitimate.
It worked; about one-tenth of the recipients clicked a link to view the entire document. The link took the recipient to a website that informed the victim that he or she had to install a browser add-on to view the subpoena. Instead, the website downloaded keylogger software that was able to secretly record the executives’ login and password information. As a result, the companies were subject to hacking, some of which caused considerable damage.
Another common strategy for a whaling attack is to exploit the well-known name of the Better Business Bureau (BBB). In this scam, attackers send emails to owners of small and medium-sized businesses claiming to be from a BBB official about a complaint that was filed against the company. One version of the email invites the recipient to click on a link to see the complaint, but once again, the link downloads keylogger software or other malware designed to steal confidential information.
The BBB regularly issues warnings to businesses about these scams. The problem is, it’s often hard for victims to tell they’re being scammed at all until it’s too late.
How to Dodge a Harpoon
So what can companies to do protect themselves? Whaling poses a significant risk for companies, but the steps to prevent it are quite simple. The key is that companies need to be proactive and ensure that their employees follow a few common-sense rules. Here are a few guidelines for employees and executives to follow.
- Be Suspicious of Unsolicited Messages
Individuals should be suspicious of unsolicited phone calls or email messages asking about employees or other internal information. If an unknown person claims to be from a legitimate organization, his or her identity should be verified.
- Don’t Provide Personal or Corporate Information
Individuals should not provide personal or corporate information, including about the company’s structure or networks unless they are certain of a person’s authority to have that information.
In addition, individuals should not reveal personal or financial information in an email and should not respond to email solicitations for this information. This includes the following links sent in emails.
- Avoid Sending Sensitive Information Over the Internet
In general, especially sensitive information should not be sent via email or over the internet.
- Pay Attention to URLs
Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain, which could signal a phishing attempt.
- Verify Email Requests
If an employee receives a suspicious email, he or she should try to verify it by directly contacting the company from which the email was purportedly sent.
- Be Informed
Information about phishing and whaling attacks is also available online from groups such as the Anti-Phishing Working Group, a nonprofit industry and law enforcement association focused on eliminating the fraud, crime, and identity theft that results from phishing, whaling, and email spoofing of all types.
The Next Big Catch
Organized crime continues to show an interest in spear phishing and whaling. As long as criminals can make money conducting these attacks, they will continue. For example, although the BBB scams have been going on for a long time, they continue to occur on a regular basis, judging by the frequency of BBB warnings on the subject.
In addition, spear phishing and whaling have become popular methods for advanced persistent threat campaigns, which are often launched by groups with ties to foreign governments. They are designed to infiltrate a company or agency in order to steal sensitive information or valuable intellectual property. These actors spend a long time deciding the most effective way to infiltrate an organization. Targeting senior corporate executives and business owners is often the ticket.
Get Wise
As long as individuals can be tricked into opening malicious emails, the practice of whaling will continue. It is up to senior executives to educate themselves about the dangers of whaling and how to prevent their companies from becoming victims.