Your IP: Unknown · Your Status: ProtectedUnprotectedUnknown

Skip to main content

What is a whaling attack and how do you prevent it?

You get a letter from a CEO asking you to urgently transfer million dollars to another company’s account to close a critical contract. Sounds important! You immediately initiate the transfer. The next day, you realize that you wired the money to a fraudster and did substantial financial damage to your company. You have become a victim of a whaling attack. Learn what whaling is and how to prevent it below.

What is a whaling attack and how do you prevent it?

What is whaling?

A whaling cyberattack is when fraudsters target specific higher-ranking employees in a company. By impersonating a senior executive, they try to extract sensitive information or money from their victims. They do this by sending emails or trying to contact employees in other ways (social media, instant messaging, even a phone call, etc.). Usually, they ask to send something quickly because they need it as soon as possible. There is typically a sense of urgency in whaling messages.

Research is key for a whaling attack to succeed. Cybercriminals scan the company’s social media pages, employee profiles, and other publicly available information to make their emails look more genuine. They can even contact the company’s employees just to get the organization’s tone of voice and communication patterns. Due to its highly personalized nature, this social engineering technique is difficult to detect and can affect even very cautious users.

Whaling examples

  1. In 2016, Seagate’s HR department received an email from a scammer impersonating the company’s CEO. They sent the requested data, leaking the personal details of about 10,000 employees.
  2. Austrian plane company FACC lost 56 million dollars to whalers in January, 2016. Its CEO and CFO lost their positions as a result of the attack.
  3. In 2016, a Snapchat employee revealed staff payroll information to a whaler.

Phishing and whaling

While whaling uses similar techniques to phishing, it is also significantly different. Phishing is the blasting of non-personalized emails to lots of random people, hoping to trick some of them. This usually involves generic requests like asking to click on a link, entering your credentials, etc. Phishing emails are easier to identify for the average user as they are not as well-researched and carefully crafted as whaling messages. Phishing emails have low success rates.

By contrast, whaling is a highly-targeted and well-researched attack aiming at a few or even a single individual. It is much like the spear-phishing technique. However, spear phishing can target less-specific employees of a particular company and not necessarily those of a senior rank.

Solutions to whaling

To prevent becoming a victim of whaling, consider the following actions:

  • Contact the impersonated person using other methods if you have even the slightest suspicion that the message is attempted whaling. This is especially important if a person asks you to disclose sensitive data or make a money transfer. A company can implement doublechecking as a formal company requirement for sensitive procedures;
  • Look for red flags in the email. Carefully check whether the email address contains any irregularities. Grammar mistakes or a sense of urgency can also be indicators of a whaling cyber attack;
  • Use security systems that can filter out suspicious external emails. The NordVPN’s Threat Protection feature is also a handy tool for that as it can help you to identify malicious files and websites;
  • Educate yourself and your colleagues about the dangers and possibilities of such cyberattacks;
  • Hide employee data, even if it seems harmless (e.g., birthdays, important dates, relations between colleagues, internal rules, etc.). Also, limit how much work-related data you post on social media and instruct your colleagues to do the same. This will make the cybercriminals’ research harder;
  • Secure sensitive procedures or large money transfers by requiring more than one person to complete them. For example, it might require the authentication of another senior employee.