Whaling
What is it and how can we defend against it
Whaling is a sophisticated form of phishing attack that targets high-level executives such as CEOs, CFOs, and other senior decision-makers within an organisation. Unlike standard phishing, which casts a wide net to catch unsuspecting users, whaling is highly targeted and personalised – hence the name, as it goes after the “big fish.”
What Makes Whaling Different from Regular Phishing?
| Feature | Regular Phishing | Whaling |
|---|---|---|
| Target | General users | Executives (CEO, CFO, etc.) |
| Content | Generic (e.g., fake bank alerts) | Highly personalized and convincing |
| Goal | Steal credentials, install malware | Authorize wire transfers, leak sensitive data |
| Tactics | Mass emails | Spear-phishing with detailed research |
How Whaling Attacks Work
The process begins with extensive research. Cybercriminals gather information about their target from public sources like LinkedIn, company websites, press releases, and social media. This intelligence helps them craft convincing emails that appear to come from trusted sources—often mimicking internal communications or business partners.
- Reconnaissance: Attackers research the target using LinkedIn, company websites, press releases, and social media.
- Spoofing: They create fake email addresses or domains that closely resemble legitimate ones.
- Social Engineering: The message may appear to come from a trusted colleague or partner, often with urgent language.
- Payload: The email might:
- Request a wire transfer
- Ask for sensitive documents
- Contain a malicious link or attachment
A typical whaling email might:
- Request an urgent wire transfer
- Ask for confidential employee or client data
- Contain a malicious link or attachment disguised as a business document
These emails are often free of the spelling and grammatical errors that give away traditional phishing attempts. They use social engineering tactics to exploit trust, authority, and urgency, making them particularly dangerous.
How to Prevent Whaling Attacks
- Employee Training: Teach executives to recognise suspicious emails.
- Email Filtering: Use advanced spam filters and domain authentication (e.g., SPF, DKIM, DMARC).
- Multi-Factor Authentication (MFA): Adds a layer of security even if credentials are compromised.
- Verification Protocols: Always verify large financial requests through a second channel (e.g., phone call).