A sophisticated form of phishing, whaling attacks go straight for the “big fish” of an organisation – aka the CEO and the executives. Often referred to as CEO fraud or executive phishing, these attacks are slick and highly personalised, making them harder to spot and consequently, more successful.
A successful whaling attack can lead to significant financial loss and damage to your company’s reputation. In 2020, for example, Sydney hedge fund Levitas Capital fell victim to a whaling attack, resulting in a staggering loss of over $8.7 million. After the fallout, its founders had no choice but to close down. This incident underscores the severity of whaling attacks and their potential to cause irreparable financial damage.
In this comprehensive guide, you will gain a thorough understanding of whaling attacks and their implications. You’ll learn why these attacks are uniquely dangerous and how they are carried out. Most importantly, you’ll discover practical strategies to fortify your defences and safeguard your organisation against this insidious threat.
Before we dive in, let’s quickly introduce the key tech terms you’ll be encountering throughout the guide.
Glossary of IT terms
Phishing attacks: A cybercrime where criminals pose as a legitimate institution and contact targets by email, telephone, or text message with the aim of tricking them into divulging sensitive data.
Endpoint: Any device that establishes a connection to a network for the purpose of transmitting and receiving data. These devices, which can range from desktop computers and mobile devices to servers and Internet of Things (IoT) devices, serve as the communication points where information is exchanged within the network.
Spoofed Email: An email that appears to be from a known contact but is not.
Multi-factor Authentication: A security method that requires you to provide two or more proofs of identity to access your account, like a password and a text message code.
What Is a Whaling Attack?
A whaling attack is a strategic phishing attack that’s usually disguised as an email from a known (or at least safe) contact. The attacker builds trust before gradually extracting key information from the target. The ultimate aim is to access sensitive areas of the network, passwords, or other user information. These attacks can happen quickly but are often executed over weeks or months.
Unlike regular phishing attacks that cast their nets wide, whaling attacks are highly targeted, focusing on high-profile individuals within an organisation. These individuals – often top executives, senior management, or the business owners themselves – have access to valuable and sensitive information, making them attractive targets for ambitious cyber criminals.
How Do Whaling Attacks Work?
Whaling attacks are meticulously crafted to deceive the target. The attacker typically impersonates a trusted contact, such as a fellow executive, a known vendor, or even a personal acquaintance. The communication method will usually be one commonly used by the person being impersonated and the target, such as email or office messaging.
The attacker may begin by infiltrating the email account of the person they are impersonating. Once inside, they can create an email from the person’s account that will come with an in-built layer of trust. Of course, if something sounds off, the target may realise it’s not a legitimate communication. So the criminals will usually include personal details or references they’ve gleaned from internet research or social media, making the content seem more personal and legitimate.
If the attacker can’t gain access to a suitable email account, they may create a spoofed email. These are easier to spot (more on that below) but still seem legitimate at a glance. Either way, the goal of the attacker is to establish the target’s genuine trust. They do this by providing “proof” that they are who they claim to be.
If the attacker moves too quickly, the target may become suspicious. However, if done correctly, the target may not suspect the attacker’s true intentions and may willingly hand over sensitive information.
Whaling Attack Examples
Levitas Capital
As touched on briefly in the intro, one of the co-founders of Australian hedge fund Levitas Capital was targeted by a whaling attack in late 2020. The attacker sent a fake Zoom link that, once clicked, installed malware on the company’s network. As a result, the hedge fund suffered a significant financial loss of over $8.7 million. Unfortunately, the fallout of this event put the founders in a position where they had no choice but to close.
Ubiquiti Networks Inc.
In 2015, a Hong Kong subsidiary of Ubiquiti Networks Inc. lost US$39.1 million to a whaling attack. In this case, a finance employee was tricked by a fake email. This whaling attack example is particularly sobering when you realise that just one small mistake with a fake email led to such an astonishing financial loss.
Mattel
Staying in 2015 for a few minutes more, let’s take a quick look at the time a finance executive from toy manufacturing giant Mattel fell for a whaling attack. Cybercriminals silently infiltrated Mattel’s network, studying the company’s internal procedures for weeks as they waited for the perfect moment to strike.
When Mattel appointed a new CEO, the attackers knew the time was right. They crafted an email from the new CEO to the finance department, requesting a $3 million payment to a Chinese supplier. An unsuspecting finance executive authorised the transfer, but just hours later, the real CEO denied ever having sent such an email. Despite the initial panic, Mattel was able to freeze the bank account in China before the funds could be withdrawn, eventually recovering the money.
These whaling attack examples highlight the potential severity of whaling attacks and the importance of implementing robust cybersecurity measures to protect against them. They also underscore the need for continuous education and awareness among employees, particularly those in high-ranking positions.
Differences from Other Phishing Attacks
While whaling attacks are technically a form of phishing, they differ significantly from other common phishing attacks. The main difference lies in the target of the attack. While phishing attacks can and do target anyone, whaling attacks zero in on high-ranking individuals.
Since they’re focusing on the “whales” of the organisation, the attacks must be more sophisticated, well-researched, and well-timed than other forms of phishing attack. When attackers send out phishing emails en masse, they’re playing a numbers game, so they don’t have to be so careful. However, when it’s just one person being targeted, their chances of success are slim unless they create a perfectly timed and brilliantly executed attack.
The Future of Whaling Attacks
Recent research indicates a new trend in whaling attacks: AI-powered harpoon whaling. This involves highly targeted whaling attacks on specific groups of powerful individuals. As the name suggests, cybercriminals use AI tools to automate their attacks. This method drastically reduces the effort needed to attack executives, adding extra weight to the danger of whaling attacks.
How Can Business Owners Avoid Whaling Attacks?
To protect against whaling attacks, it’s crucial to implement strong cybersecurity measures. These include:
- Check carefully for spoofed email addresses or names: Cybercriminals often use email spoofing in whaling attacks, where the email appears to come from a trusted source. Always verify the sender’s email address and look for any slight alterations or unfamiliar domains.
- Think before you click: Phishing attacks often involve deceptive links. So always give yourself a moment to think and check before you click. If a link or an attachment seems suspicious, consult with your IT department or managed service provider before doing anything with it.
- Use strong, unique passwords and change them regularly: Strong and unique passwords make it harder for attackers to access your accounts. Regularly updating your passwords can further enhance your security.
- Treat yourself and all company executives to regular cyber training: Cybersecurity training for executives is crucial as it helps them understand the risks and safeguards against cyber threats. This knowledge can help instil a strong cybersecurity culture in the company. There are plenty of places to save money in your IT budget, but cyber security training is not one of them.
- Implement multi-factor authentication (MFA): MFA adds an extra layer of security by requiring users to provide two or more verification factors to access a resource. It’s a powerful deterrent against cyber attacks.
- Manage privileges: Limiting user access to only include what’s absolutely necessary for each role can significantly reduce the risk of a successful attack. Regular audits of user privileges will ensure access rights are relevant and up-to-date.
- Install anti-phishing software: Anti-phishing software can identify and block phishing content, protecting users from deceptive emails and websites. If you’re working with a managed services provider like Invotec, you should already have this protection. However, it’s always worth talking to your MSP or internal IT department to be sure.
- Practice vendor due diligence: Ensure any business you regularly interact with is following robust security practices. Whether it’s your suppliers, B2B customers, or businesses you have partnerships with, this can help prevent security breaches that originate from third-party vendors.
- Continuously scan every endpoint: Regular scanning of all endpoints can help you detect vulnerabilities or malicious activities early, allowing for quicker response and remediation.
- Monitor user behaviour: Unusual user behaviour can often be a sign of a security breach. Monitoring can help you detect anomalies and stop attacks in their tracks. MSPs like Invotec offer 24/7 monitoring for precisely this reason.
Want to learn more about the fundamentals of cyber security in general? Visit our guide covering the pillars of strong cyber security for business owners.
Staying safe from cyber threats
Whaling attacks are a serious concern for businesses. We’ve discussed what they are, how they work, and the steps you can take to protect your organisation. Implementing these security measures can help reduce the risk of falling victim to such attacks. However, cybersecurity is not a one-time effort. It requires ongoing vigilance and adaptation to new threats. This is where we can help.
Our IT experts are ready to assist you in strengthening your defences and ensuring your business is prepared for potential cyber threats. If you have any questions or if you’re ready to enhance your cybersecurity, we’re here to help. Contact us today to get started.
