A type of social engineering phishing attack that targets specific high-ranking employees. While phishing attacks are often generic and may be targeted at anyone, whaling requires a lot of research. The goal is to successfully impersonate a senior executive to either get paid or steal extremely sensitive information that could be used for ransom or sold for a huge profit. The attack relies on the idea that a direct order from your boss’ boss will make you panic, drop your guard, and perform the action (like transferring a large sum of money) without thinking.
Real-life whaling examples
- In 2016, Seagate’s HR department received an email from a scammer impersonating the company's CEO. They sent the requested data, leaking the personal details of about 10,000 employees.
- In 2016, Austrian plane company FACC lost 56 million dollars to whalers. Its CEO and CFO lost their positions as a result of the attack.
How to prevent whaling
- Contact the person by phone or in person if you suspect a message from them might be fake.
- Get into the habit of checking emails for clues that they may be fake — at least inspect the sender’s email address.
- Limit how much of your employee data is available online so it’s more difficult to impersonate them.