Whaling is a type of spear phishing in which threat actors directly target C-level executives at an organization. This type of social engineering attack sends fraudulent messages to individuals with high levels of seniority to exploit three particular characteristics of these C-suite roles:
In taking advantage of these characteristics, successful perpetrators of whaling attacks often dupe senior executives into sending money to an account under their control, installing malware, or revealing confidential information. Since the word phishing originates from the use of email lures to "fish" for information from people, you can think of whaling as targeting high-ranking employees (“whales”) in an organization.
Some sources use the terms Whaling and CEO fraud/VIP Impersonation interchangeably, but there are subtle differences to understand. CEO fraud is a type of phishing attack in which the attacker impersonates an organization’s CEO or perhaps another senior executive (CFO, CIO, etc.).
A CEO fraud email could directly target another senior executive, in which case it is a type of whaling attack, but it could equally be directed at a lower-level employee, such as someone working in the accounts department and not necessarily be considered whaling. So, not all CEO fraud attacks meet the definition of whaling attacks (and vice versa).
With the potential for striking a jackpot from a whaling attack, threat groups often pour considerable resources into each attack. A detailed reconnaissance phase involves combing through social media profiles of high-ranking executives and board members on platforms used for networking, such as LinkedIn and Twitter. Part of the preparation is to engage with the company via email to infer the structure of email addresses and email signatures for more credible fraudulent messages.
The next step is to decide whether to masquerade as someone within the organization, a third-party vendor, or a business partner. The extent of reconnaissance stretches to finding out about any charities, academic institutions, or associations the business partners to leverage the implicit trust in those relationships and impersonate someone within a partner organization.
In companies lacking strong email security, spoofing an email from within the organization using forged email headers might pay dividends for threat actors. Sending an email from within the company could also involve using stolen credentials to access an employee’s account.
If trying to target the C-level executive from outside the company, a routine tactic is to register typo-squatted domains that are easy to mistake for that of a trusted company or partner. These typo-squatted domains only slightly deviate from the genuine domain name, for example, by adding an underscore or removing a character.
The contents of the email eventually sent to the targeted individual are far more specific than seen in generic phishing campaigns. All information gleaned from reconnaissance is relevant for personalizing the message, conveying an understanding of business-specific tone and lexicon, and conveying a sense of urgency. Then, the executive either transfers money, clicks a dodgy link, or reveals something that should be kept secret.
Sometimes, threat actors pair whaling emails with phone calls to make the scenario seem more credible and corroborate their request, although if impersonating someone known to the target, a phone call is likely to raise flags. Many people holding C-suite positions work long hours and experience high levels of stress, which can make them more susceptible to being duped by a whaling attack.
Levitas Capital, a Sydney-based hedge fund, lost out on over $8 million in 2020 when both company founders clicked an email link to a fake Zoom phone call. The link installed malware on their systems, which enabled threat actors to take control of key company email accounts and led to the eventual approval of $8.7 million in false invoices. In an example of the cascading impact of a serious cyber attack on a company’s reputation, this incident led to the cancellation of a $16 million investment and the fund had to shut down.
An incident targeting toy manufacturing company Mattel in 2016 serves as almost the perfect example of the sophisticated and targeted nature of whaling attacks. A Chinese cyber crime gang infiltrated Mattel’s network and conducted covert monitoring of internal procedures, protocols, corporate hierarchy, and other details over several weeks.
After Mattel appointed a new CEO, the gang launched into the whaling component of the attack by impersonating the CEO and targeting another high-ranking company executive. The email referred to an invoice payment due to be made to a Chinese supplier. The target didn’t think twice about the email’s trustworthiness and immediately transferred $3 million out of the company.
IRONSCALES’ self-learning platform uses machine learning to fight whaling and other targeted employee email attacks for you. NLP technology ensures protection against suspicious emails whether they come from sources inside or outside your domain. Warning banners alert about threats and make it quick and easy for C-suite to report suspicious emails and get on with their important tasks.
Beyond the automated and technology-based protections provided by IRONSCALES the platform directly integrates real-world phishing simulation testing and personalized security awareness training to educate employees on advanced identification and prevention best practices.
Learn more about IRONSCALES advanced anti-phishing platform here.