You get a letter from a CEO asking you to urgently transfer million dollars to another company’s account to close a critical contract. Sounds important! You immediately initiate the transfer. The next day, you realize that you wired the money to a fraudster and did substantial financial damage to your company. You have become a victim of a whaling attack. Learn what whaling is and how to prevent it below.
A whaling attack is when fraudsters target specific higher-ranking employees in a company. By impersonating a senior executive, they try to extract sensitive information or money from their victims. They do this by sending emails or trying to contact employees in other ways (social media, instant messaging, even a phone call, etc.). Usually, they ask to send something quickly because they need it as soon as possible. There is typically a sense of urgency in whaling messages.
Research is key for a whaling attack to succeed. Cybercriminals scan the company’s social media pages, employee profiles, and other publicly available information to make their emails look more genuine. They can even contact the company’s employees just to get the organization’s tone of voice and communication patterns. Due to its highly personalized nature, this social engineering technique is difficult to detect and can affect even very cautious users.
While whaling uses similar techniques to phishing, it is also significantly different. Phishing is the blasting of non-personalized emails to lots of random people, hoping to trick some of them. This usually involves generic requests like asking to click on a link, entering your credentials, etc. Phishing emails are easier to identify for the average user as they are not as well-researched and carefully crafted as whaling messages. Phishing emails have low success rates.
By contrast, whaling is a highly-targeted and well-researched attack aiming at a few or even a single individual. It is much like the spear-phishing technique. However, spear phishing can target less-specific employees of a particular company and not necessarily those of a senior rank.
To prevent becoming a victim of whaling, consider the following actions:
To learn more about cybersecurity, subscribe to our monthly blog newsletter below!