What is a Whaling phishing attack and how to prevent it

Understanding Whaling Phising

What is Whaling?

Also referred to as “CEO fraud” in some circles, Whaling is a variation of the spear-phishing attack — commonly used in targeting a category of individuals who work at a company. Except in the case of Whaling, the category of individuals targeted is exclusively higher-ranking members within the organization, such as C-suite executives and board members.

Is Whaling like social engineering?

In a word, yes. It falls under the phishing umbrella, a subset of social engineering threats designed to gather privileged information and data, like passwords or access tokens from unsuspecting users through deception.

Does Whaling affect cybersecurity?

Since Whaling is classified as a social engineering threat, it most certainly can and does impact an organization’s security posture. The threats stemming from Whaling attacks vary, just like social engineering attacks et al, depending on the aim of the bad actor and the resources that are protected (or in this case, not protected). See examples below for insight into some ways Whaling attacks can impact your defenses.

Examples of Whaling phishing attacks

While far from exhaustive, below are three real-world examples of Whaling attacks and how they have compromised organizational cybersecurity:

1. 2016: Employees of Crelan Bank in the EU wired $75 million in funds to a bank account owned by threat actors after receiving email requests seeming to come from the bank’s CEO.
2. 2019: The CEO of a UK-based energy firm was asked by the CEO of his parent company to wire $243,000 to their Hungarian supplier via telephone. Only the call was fraudulently created by attackers using AI software to mimic the CEO’s voice.
3. 2020: Australian hedge fund company, Levitas Capital closes its doors after $8 million was lost — alongside its business reputation among clients. The culprit was a fake Zoom invite which allowed attackers to install malicious code that generated fake invoices.

Mechanics of a Whaling Phishing Attack

Breakdown of a Whaling Attack

• Recon: Threat actors perform extensive research on their executive or senior management target to gather details used to create convincing impersonations of them.
• Weaponization: Armed with the necessary information, threat actors create the actual content used to carry out the attack. While this is usually communicated via email, as part of a larger Business Email Compromise (BEC), whaling can also be carried out over:
  • SMS
  • Messaging and social media platforms
  • Spoofed phone calls
• Delivery: The message type is delivered to the intended victims, often with an urgent scenario that urges victims to react by performing an action that seemingly comes across as a C-suite or executive request.
• Exploitation: Depending on what actions the attackers are requesting, the victims could hand over confidential data, credentials used to access sensitive resources, further compromise systems in a larger-scale data breach or perform actions, like transferring or wiring funds, or paying “open” invoices.
• Fallout: The consequences of falling victim to whaling attacks are just as varied, depending greatly on the organization, the extent of the crime and the legal implications for the organization. (We discuss this in more detail later).

Targets of Whaling attacks

As mentioned previously, Whaling attacks target one specific group only. They may be:

• C-suite members:
  • CEO
  • CFO
  • COO
  • CSO
  • CISO
• Members of the Board of Directors
• Senior-level managers
  • Supervisors
  • Directors

Impact of Whaling Phishing Attacks

Potential consequences of Whaling attacks

Responses stemming from Whaling attacks can vary from one organization to the other and hinge greatly on any number of factors. Some common, real-world consequences of Whaling phishing attacks are:

• Mandated employee security training to combat future attacks
• Termination of employment for any responsible parties
• Loss of business competitive edge or operational capacity
• Negative impact on public reputation and/or industry standing
• Extensive financial losses which are often unrecouped
• Civil and/or criminal liability due to regulatory violation(s)
• Cease of business operations in part or in whole

Prevent Whaling

Guidelines to identify potential Whaling attacks

Whaling and to a greater degree, phishing attacks, have historically had telltale signs of certain criteria that strongly indicate a communication may be trying to phish (or perform whale phishing) on its target.

Though not always the case, below of some guidelines of things to be on the lookout for when you receive that next“urgent request” from an executive — it just might help you determine if it is a legitimate request or a scam waiting to happen:

• External emails: Many email services allow IT the ability to flag emails that are received from external sources. With this setting enabled, did you receive an email that purports to be from the CEO or Sr. Management, though the notification is present explaining that the email was received externally? If so, you may wish to report that email just in case since most sent/received within the organization’s employees occur internally — not externally.
• Urgency: Most social engineering attacks place urgency at the center of the campaign. Meaning that, by establishing a narrative that requires immediate, reactionary tasks to be performed (without time to ask questions or verify what’s being requested), the success of these campaigns is often attributed to the fast response times required of victims relating to the severity of the consequences.
• Consequences: The other side of the coin to urgency, is consequences. As in, “If you don’t perform the requested action immediately, then this will happen to you.” Dire consequences, threats, ultimatums and legal actions are some of the tactics threat actors use to intimidate targets into becoming victims.
• Confidentiality: Communication methods, though seemingly secure and perhaps even encrypted, are not generally considered ‘safe’ enough to discuss or exchange confidential data. This goes doubly for public platforms, like social media, for example. Receiving an email that explicitly tells you to keep the request to yourself out of concern for security while simultaneously asking you to provide private information or credentials is suspicious at best and potentially a social engineering attack at worst.
• Links and attachments: This is a tough one to spot because communication channels were designed with the ability to quickly and efficiently share links and attachments with colleagues. This ease of use however is exactly what threat actors are banking on when they craft their messages. Since it’s a “feature”, how bad could it be, right? Wrong and it can be plenty bad. Simply put: do not click on links or download/open attachments just in case.
• Verification: Requests of any kind, especially those that pertain to a financial matter — or any that are made out-of-band — should be verified in person. At the very least, verification by speaking with the requestor to ensure it is a legitimate request is a must before any actions are taken. Strict protocols should be enforced when any changes to account numbers or payment procedures are made to minimize the risk of falling victim to fraud.

Importance of awareness and education

There are many products and solutions available that are billed as resolving this security issue or mitigating that security concern. And while many of them may even work well enough, the fact remains that when it comes to Whaling, “An ounce of prevention is worth a pound of cure.” Benjamin Franklin said that in 1736, long before phishing, the internet or even computers as we know them today existed.

But the core message applies just as much today as it did centuries ago. Prevention is > remediation when it comes to cybersecurity.

There are some key solutions that are especially effective in combating social engineering when combined in a layered strategy, or defense-in-depth security plan. These are:

• Awareness of threats: How can you expect to protect yourself against threats when you aren’t even certain which threats affect you or in which ways they impact you? Learning about threats, their evolution, how they work, what they target, what their impact is on resources and how that applies to your unique requirements is a good first step toward protecting yourselves by becoming familiar with the threat actors’ tactics through information exchanges, open dialogues and professional development sessions for IT and Security teams.
• Ongoing training: Follow-up question: How do you expect employees to help keep business resources safeguarded when they don’t know what the latest threats they’re facing down against are? After all, they are not just your first line of defense but also part of the solution. Regularly scheduled training sessions that are baked in alongside aligning with other organizational policies ensure that employee security training evolves as threats do to keep employees informed. After all, security is everyone’s responsibility — not just IT.
• Develop secure protocols: While this tip could be applied as a general, company-wide, policy the focus of this blog is Whaling so we’ll recommend it more specifically to executive-level members since they serve as the target group for Whaling attacks. C-suite executives need to be more careful with their privacy data in relation to what is shared, where and who can see it. For example, enabling privacy restrictions on public-facing websites like social media profiles limits the amount of personal and business details available to a wider audience. Less information shared means less data in the pool available for threat actors to leverage against victims in their impersonation attempts.
• Evolve your security solutions: Security solutions are great but a policy that enforces strong, unique passwords is not going to prevent access to a confidential business resource when someone claiming to be the COO requests remote access to a computing device that has access to an HR database that contains all employee records and access is granted without question. However, implementing additional layers of endpoint security protection that could detect and respond to advanced persistent threats (APT) could make all the difference between identifying the threat quickly and remediating it or allowing it to linger, giving bad actors ample time to fully breach your data.

Conclusion

The future of Whaling?

Whaling phishing attacks are expected to continue in the foreseeable future. This isn’t speculation when agencies like the FBI, citing “a 1,300 percent increase in identified exposed losses” have and continue to weigh in on protective measures and guidance for organizations to better protect themselves against this growing segment of phishing threats.

Security Magazine, as part of a report conducted by GreatHorn on how prominent Whaling and Executive Impersonation attacks are, identified “59% of organizations say an executive has been the target of whaling attacks.” What’s worse than that? “46% say executives have fallen victim.”

Whaling + AI

Bridging the gap between phishing’s scalability and the per-message impact felt by Whaling is not the attack vector showcased in an episode of Mr. Robot. It is the AI-powered future of Whaling.

Referred to as Harpoon Whaling, Trend Micro explains that “Harpoon whaling can be extremely automated and can benefit from using a generative pre-trained (GPT) AI language model that can allow extremely successful targeted attacks to be made concurrently on curated distribution lists. These lists are composed of many executives or high-ranking officials, such as “all banking executives,” “all high-ranking police officials”, or “all politicians of country X.””

Encouragement for vigilance and education

“Don’t rely on e-mail alone.” — Federal Bureau of Investigations

The individual solutions mentioned in the previous section provide some levels of protection sure, but multi-level protection lies within the pairing of secure protocols and a solution that provides advanced threat detection and mitigation, along with remediation in case something wasn’t caught by ongoing employee training sessions.

Summary of key takeaways

• Whaling is a type of social engineering attack that exclusively targets higher-ranking members, such as executives and board members.
• The FBI has identified Whaling as one of the top phishing threats to organizations, generating $12 billion in losses.
• Real-word Whaling attacks across the world have contributed directly to data breaches of confidential information, loss of funds and business closures.
• Whaling attacks involve extensive, open-source reconnaissance by threat actors as they gather information on company executives to increase the success rate of impersonation attacks.
• Attacks are not just carried out by email, but also SMS, messaging and social media platforms and over the phone.
• Like other forms of phishing, urgency and dire consequences are two powerful tactics attackers rely upon to convince their victims to take action without verification.
• Employee training plays a significant role in not just educating users against threat types but also keeping them vigilant against evolving attack types to watch out for.
• 59% of organizations say an executive has been the target of whaling attacks and 46% say executives have fallen victim.
• Attacks that leverage AI to automate Whaling’s efficacy and phishing’s scalability are the future. Enter Harpoon Whaling.
• One-size-fits-all may stop one threat layer, yet a comprehensive solution combines endpoint security software with end-user training and evolved security protocols for defense-in-depth.