Whaling attacks are a deadly combination of spear-phishing and social engineering. Like phishing attacks, the attempts of the perpetrators are similar – to get a target to reveal confidential data or even get tricked and send money.
But whaling attacks operate on a far more dangerous level. Here, cybercriminals plan their attack in great detail. The targets mostly consist of senior executives at an organization. A lot of preparation is put in to research the target. Broadly speaking, the attack happens through the following scenario:
How Mike got scammed
Mike heads the procurement division of his global company. During a typical workday, where he has a lot of projects on his mind, he receives an email from the CEO of his company. Mike knows the CEO well and the email doesn’t create any suspicion in his mind as it references previous discussions he has had with the CEO. It’s also written exactly in the way the CEO normally writes. At the end of the email, the CEO asks Mike to send across procurement records for the last financial year which needs to be presented to the board.
The request doesn’t strike Mike as strange or untoward in any way. In any case, it’s the CEO of the company who’s asking for information. So Mike doesn’t think twice before responding to the email and sends over the procurement record that was asked for.
Two weeks later, Mike is hauled up in front of IT. The CEO had never sent such an email. It had been an impersonator. Mike sent the scammer extremely valuable information: the company’s procurement record. It’s a huge scandal and the company now needs to do some massive damage control. A single inadvertent error has left Mike with his job on the line.
Whaling: a cunning tactic
As the above scenario illustrates, whaling attacks only require one misstep from an employee to succeed. The other reason why they succeed is the pressure of social engineering as well – whaling emails are mostly always disguised as coming from a senior functionary (CEO or someone else from the C-suite) and needing their information urgently. An employee would not want to disappoint their CEO and hence, they don’t think twice before sending over the information that has been requested.
It’s not just confidential company data – whaling attacks can lead to financial losses as well. Instead of asking for company data, the whaling email could request for the transfer of money. This happened with toy giant Mattel in 2016: a Chinese cybercriminal gang impersonated the new CEO to send an email to a high-level executive, asking for three million dollars to be transferred to a bank in China. The executive believed that the email came from the CEO and transferred the money, only to later realize that no such request had come! Thankfully, they managed to avert the situation as the next day was a public holiday in China.
Whaling attacks can be minimized by ensuring employees are aware of their dangers and maintain a strict information security policy. Employees should constantly be reminded to check emails for their authenticity, whoever they receive these from. They must be extremely careful about posting company information on social media platforms.
Get in touch with us to know more about whaling scams and how we can help.