What is a whaling attack, and how do you prevent it?

What is a whaling attack?

A whaling attack is a type of cybercrime that falls in the category of social engineering attacks (more specifically, phishing attacks). The perpetrators usually masquerade as legitimate, known, and trusted enterprise members to encourage the victims (usually higher-ranking employees in a company) to share sensitive information or money.

The common modus operandi of whaling attacks does not differ from phishing: the threat actor sends emails with malicious links (also known as email spoofing) or tries to contact employees via social media, instant messaging, or even phone calls. Scammers also exploit cognitive biases (for example, urgency bias) by asking the victim to send something quickly because they need it as soon as possible. Forced sense of urgency is often the most common sign of a whaling attack.

For whaling attacks to succeed, cybercriminals have to perform thorough research. That often includes scanning the company’s social media pages, employee profiles, and other publicly available information to make their emails look more genuine. Due to its highly personalized nature, whaling is difficult to detect and can affect even very cautious users.

What are the consequences of a whaling attack?

Falling victim to whaling attack can cause significant financial, reputational, and legal damage to the company. Successful whaling attacks often result in data breaches, monetary theft, and leaked trade secrets. In addition, whaling attacks can leave companies and their employees susceptible to lawsuits, fines, and loss of trust from their customers and stakeholders.

Whaling examples

• In 2016, Seagate’s HR department received an email from a scammer impersonating the company’s CEO. The HR department ended up sending the requested data, leaking the personal details of about 10,000 employees.
• In 2016, a whaler posing as the CEO sent an email to a Snapchat payroll department employee, requesting payroll information. The employee complied, exposing sensitive information of current and former employees. Although the company experienced no financial loss, the breach exposed personal information, leading to potential identity theft and privacy concerns.
• The Austrian plane company FACC lost $56 million to whalers in January, 2016. Its CEO and CFO lost their positions as a result of the attack.

Whaling and phishing – what are the differences?

In a sense, whaling is a more sophisticated type of phishing. While phishing describes the broad process of scamming people into taking action, whaling refers to specific types of such targets – employees and CEOs of large companies.

In addition, phishing works by blasting non-personalized emails to lots of random people, hoping to trick some of them. This usually involves generic requests like asking to click on a link or entering your credentials. Phishing emails are easier to identify for the average user because they are not as well-researched and carefully crafted as whaling messages. Due to how widespread social engineering attacks are, people are more aware about phishing attacks, resulting in lower attack success rates.

By contrast, whaling is a highly-targeted and well-researched attack aiming at a few or even a single individual. It is much like the spear-phishing technique. However, spear phishing can target any employees of a particular company and not necessarily those of a senior rank. Since scammers often do their homework, the victims are usually handpicked strategically, with priority being the most credulous (usually relatively new or impressionable) employees.

How can you protect yourself from whaling attacks?

Protecting yourself from whaling attacks requires vigilance and attentiveness. To safeguard yourself and your company, you should carefully evaluate every work letter that asks you to wire money or disclose any other sensitive information. You can also take additional precautions to safeguard yourself from whaling attacks.

Double check with the real person

Contact the impersonated person using other methods if you have even the slightest suspicion that the message is attempted whaling. This is especially important if a person asks you to disclose sensitive data or make a money transfer. A company can implement doublechecking as a formal company requirement for sensitive procedures.

Carefully review and filter emails

Look for red flags in the email. Carefully check whether the email address contains any irregularities. Grammar mistakes or a sense of urgency can also be indicators of a whaling cyberattack. Additionally, use security systems that can filter out suspicious external emails. NordVPN’s Threat Protection Pro feature is also a handy tool that can help you to identify malicious files and websites.

Use multi-factor authentication (MFA)

When working with sensitive data and financial transfers, MFA is a must. Using this measure as a safeguard against whaling can significantly reduce the chances of becoming a victim. Consider using MFA to verify the wire transfer and sensitive data requests before granting them permission, and keep an eye on outside emails for malicious traffic and other cybersecurity threats.

Protect employee data

Hide employee data, even if it seems harmless (such as birthdays, important dates, relations between colleagues, or internal rules.). Also, limit how much work-related data you post on social media and instruct your colleagues to do the same. This will make the cybercriminals’ research harder.

Review and update company’s data protection policies

Secure sensitive procedures or large money transfers by requiring more than one person to complete them. For example, it might require the authentication of another senior employee. In addition, educate yourself and your colleagues about the dangers and possibilities of such cyberattacks.