How whaling attacks work
Whaling attacks use fraudulent emails that appear to be from trusted sources to try to trick victims into divulging sensitive data over email or visiting a spoofed website that mimics that of a legitimate business and asks for sensitive information such as payment or account details. Whaling emails and websites are highly personalized towards their targets and often include targets’ names, job titles, and basic details to make the communications look as legitimate as possible. Attackers also use spoofed email addresses and actual corporate logos, phone numbers, and other details to make attacks seem like they are coming from trusted entities such as business partners, banks, or government agencies.
Whaling attacks are more difficult to detect than typical phishing attacks because they are so highly personalized and are sent only to select targets within a company. Whaling attacks can rely solely on social engineering to fool their targets, though some cases will use hyperlinks or attachments to infect victims with malware or solicit sensitive information. Because of the high returns that cybercriminals can gain from whaling attacks, attackers spend more time and effort constructing the attack to seem as legitimate as possible. Attackers often gather the details that they need to personalize their attacks from social media such as Facebook, Twitter, and LinkedIn, profiling targets’ company information, job details, and names of coworkers or business partners. Whaling is becoming more successful, and as a result there has been an increase in its popularity.
However, there are a few things that users may look for that can help to identify a whale phishing email:
- A request for money or information. Anytime a user receives a request to authorize the transfer of funds or to share information that is highly sensitive, they should double-check to make sure the request is legitimate by placing a phone call or seeking another form of confirmation.
- An urgent or threatening tone. A whale phishing email will usually cite an urgent need to encourage the recipient to act quickly and without thinking. Whale phishing attacks may also threaten negative consequences if the request is not fulfilled.
- A spoofed email address. In a whale phishing email, the sender’s email address will often be a slightly altered version of a legitimate address. For example, an address from companyone.com may be altered to company1.com or Company0ne.com, with a zero replacing the “o” in the original address.
EXAMPLES OF WHALING ATTACKS
At their core, the common thread in examples of past successful whaling campaigns aren’t too dissimilar from successful phishing campaigns: The messages are seemingly so urgent, so potentially disastrous that the recipient feels compelled to act quickly, putting normal security hygiene practices by the wayside. Scammers writing successful whaling emails know their audience won’t be compelled by just a deadline reminder or a stern email from a superior; instead, they’ll prey upon other fears, such as legal action or being the subject of reputational harm.
Because whaling attacks are so difficult to identify, many companies have fallen victim to these attacks in recent years. In early 2016, the social media app Snapchat fell victim to a whaling attack when a high-ranking employee was emailed by a cybercriminal impersonating the CEO and was fooled into revealing employee payroll information. Snapchat reported the incident to the FBI and offered the employees who were affected by the leak two years of free identity-theft insurance.
Another similar incident happened in March 2016, when an executive at Seagate unknowingly answered a whaling email that requested the W-2 forms for all current and former employees. The incident resulted in a breach of income tax data for nearly 10,000 current and former Seagate employees, leaving those employees susceptible to income tax refund fraud and other identity theft schemes. Seagate notified the IRS of the data breach.
What to do in a whale phishing attack?
If you suspect you have received a whale phishing email or are under attack, there are several immediate steps you can take to mitigate the damage.
- Disconnect your computer from the network and/or the Internet in order to stop any malware from downloading or spreading.
- Alert your company immediately, giving your IT department a head start on limiting the damage and warning other employees about potential attacks.
- Scan your computer for viruses and malware that may have been downloaded as part of the attack.
- Change your login credentials and passwords immediately to prevent attackers from using any information you have shared to access your accounts.
Defending against whaling attacksFor executives and other likely targets of whaling, the standard advice for prevention and protection from phishing still applies: beware of clicking links or attachments in emails, as phishing attacks of any kind still require the victim to take action to be successful. Organizations can harden their own defenses and educate potential whaling targets by implementing some whaling-specific best practices as well.Be cognizant of the kind of information public-facing employees are sharing about executives. Details that can be easily found online via sites like social media, from birthdays and hometowns to favorite hobbies or sports, can help whaling emails seem more legitimate. Major public events can also lend whaling emails the guise of legitimacy. Remind executives or spokespersons that during these high-publicity times, such as a major industry conference or company event, they’ll be in a spotlight in more ways than one, and to be especially wary of their inbox.
Educate employees about whaling attacks and how to identify phishing emails.
- Train employees and executives to think with a security mindset and ask questions.
- Check reply-to email address and validate that it’s legitimate.
- Call to confirm unusual or urgent requests.
Flag all emails that come from outside of the organization – this helps highlight potential scam emails.
Discuss use of social media with the executive team as it relates to whale phishing.
- Social media is a goldmine of information cybercriminals can use in their whale phishing scams.
- Security experts recommend that members of the executive teams enable privacy restrictions on their personal social media accounts to reduce exposure of information that can be used in a social engineering scam.
Establish a multi-step verification process for internal and external requests for sensitive data or wire transfers.
Exercise data protection and data security policies: Monitor file and email activity to track and alert on suspicious behavior, and implement layered security to protect your company against whale and any kind of phishing.
By using an email platform built on end-to-end encryption, users ensure that their identity is confirmed by a private key stored on their device. This private key cannot be spoofed or stolen. As a result, individuals are who they say they are. A third-party attacker cannot take on the identity of the company’s lawyer or trusted partner over email because these attackers do not have the private key of the lawyer or partner on their device.
This level of protection is critical for companies to remain competitive and protect their intellectual property.