What Is Whaling

What Is Whaling

Helga Smith

What Is Whaling in Cyber Security (Whaling Phishing)

Whaling Definition

Whaling is a particular type of phishing that is specifically directed towards different companies’ and organizations’ executives.

Threat actors may pretend to be an executive of some company and so target other employees of that company or they will try to target an executive directly.

In this type of phishing attack threat actors rely on complex social engineering attacks to get to their goals. They know that these days most executives apply various phishing mitigation strategies and tools so they need to be extra stealthy in their approaches.

Unfortunately for the companies and organizations around the world it can be difficult to trace the attackers as they often disguise their physical location and sweep their digital footprint.

What Is The Difference Between Phishing And Whaling

We said that whaling is a specific kind of phishing that targets high profile people in different companies and organizations.

In whaling, threat actors use various mediums to lure victims into their scheme like voice calls, text messages, emails, etc. The same goes for other subcategories of phishing where this or that medium will be prevailing.

Generally speaking, phishing includes many subcategories including angler phishing, smishing, vishing, spear phishing, email phishing and of course whaling.

What Is Whaling
Visualization On How Whaling Works

Phishing has become one of the biggest threats that not only modern companies and organizations face but also ordinary users suffer no less.

Many know or at least have an Idea of what phishing and we also here talking about whaling is either to steal some sensitive and valuable information or infect targeted devices with malware.

Or the aim of a phishing attack can be both. Not only common scammers take advantage of phishing but also APT actors widely deploy this kind of attack in their more sophisticated maneuvers.

And one moment to mention: people also often get confused by the term ‘Spear Phishing‘ which it seems means the same as whaling but in reality there’s a slight difference between the two of them.

What Is The Difference Between Wailing And Spear Phishing

There’s no such a big difference in reality between the two terms as they all belong to the phishing type of cyber attack and both aim to steal sensitive and valuable information or install malware onto targeted devices.

But whereas in the whaling threat actors target only high profile individuals in spear phishing it can be various people from employees at the finance department to sales managers.

The difference is that in spear phishing attacks, threat actors ‘tailor’ their emails, voice calls and messages to the victim’s personal profile meaning they specifically craft the attack using publicly available information on the victim so that they will have the possibility to appear authentic in their phishing emails.

Contrary to spear phishing, in whaling threat actors make their targets only high management personnel but also make through research on such individuals.

How Does Whaling Work

First goes the intelligence gathering phase where threat actors will do research on their future victim. For example they will closely inspect some CEO’s LinkedIn profile and take from it some info to appear more personal to their target.

What Is Whaling
An Example Of Whaling

Apart from this threat actors may also do a research into the sphere of professional jargon to appeal to the victim’s perception and disguise phishing email or other attack correspondence as professional one and related to some business matters.

That is what about the first step of whaling then comes the next one when threat actors conduct the actual phase of an attack.

Usually they will do it in one of the following attack vectors:

  • Baiting. Almost a trick from some movie but such instances really are. Threat actors will leave an authentic looking USB drive in a gym, at the workplace or mail it to the victim; all to make them insert the thing into their computer;
  • Pretexting. Threat actors sometimes go into full acting school to get to their aim. They befriend their future target on some social media pretending to be an industry peer, love interest, business partner or some authority figure;
  • Phone. Simple phishing trick when threat actors call their victims to reinforce the previously sent email;
  • Emails. The main medium for phishing attacks among threat actors. They use malicious attachments, websites and links.

What Whaling Is Used For

No wonder that with such high profile targets in mind, threat actors can expect to accomplish various tasks and have much more broad possibilities out of the attack.

In targeting CEOs or pretending to be one and targeting their employees on behalf of faked CEO correspondence threat actors can have the next goals accomplished:

  • Personal vendetta. Although this might be a rare goal, it happens. Someone can have the simple desire to put in dirt other person’s reputation;
  • Malware. Whaling can be done with the goal to make victim install different kind of malware like keyloggers, rootkits or ransomware;
  • Corporate espionage. With successfully accomplished whaling attack threat actors can gain an access to trade secrets, steal some intellectual property; all to help business competitors that can even reside in another country;
  • Supply chain attack. This attack occurs when threat actors find a vulnerable element in some businesses or organization’s supply chain and hit it to bring damage to the whole structure. Such attacks via whaling is also done against governments when threat actors can theoretically target its vendors;
  • Control. One of the main task in whaling is to get a valuable credentials that later can used for installing backdoor into a network or for lateral movement across the compromised network in ransomware attack, for example;
  • Money. In a successfully done whaling threat actors can trick victims into paying money via a wire transfer or force an organization or business to an extortion after previously conducted data exfiltration.

What Are The Most Known Examples Of Whaling

Here are some of the most famous examples of ‘successful’ whaling attacks:

  • Threat actors attacked the Australian co-founder of a hedge fund with fraud. As a result the company was forced to close;
  • In an attack on one small business owner threat actors managed to steal a sum of $50,000 out of the business;
  • A CEO from Australian aerospace manufacturer FACC lost $58 million after got victim of a whaling scam;
  • The famous giant toy manufacturer Mattel wired $3 million to threat actors after one of its finance executive received fraudulent request from seemingly newly appointed CEO;
  • Hong Kong based company of wireless devices Ubiquiti Networks Inc. got scammed for $46.7 million after one of it’s employees received a fake email.

How To Prevent Whaling

To effectively defend yourself against whaling attacks and don’t risk cyber security of businesses and organizations CEOs and employees as well should consider the next generally accepted rules on how to avoid whaling:

  • Download and install anti-phishing software. Although social engineering tactics including whaling heavily rely on human error but for companies and organizations to have some anti-phishing software in place will be a useful consideration;
  • Have social media education sessions. The rule is simple and generally doesn’t concern only high management personnel but all users on social media.

    On some people’s social media accounts, threat actors can even without breaking into their devices gain a lot of valuable information.

    That’s why everyone on social media should limit what personal information they share and can actually view it;

  • Set data protection policies. Have set monitoring of all income emails for the signs of potential maliciousness. All those that don’t look safe shouldn’t be allowed into the income box, but instead redirected to spam email one.
    Also teach your employees and yourself about how you can in general discern if any email sent is malicious or not;
  • Multi Step verification. All requests for access to confidential information or permission for wire transfers should be filtered through multiple layers of verification before receiving consent. Check all emails and attachments for maliciousness and possibly other issues outside organization/ business;
  • Raise employee awareness. It should also be in company’s employees responsibility to protect its assets from cyber security attacks. Teach them on how to discern not only whaling attacks but also other kinds of cyber threats.
    Employees should know what social engineering attacks are and what tactics cyber actors use to conduct them successfully.
    Don’t also forget about any requests for money transfers being asked from suspicious emails.
  • EmailsphishingWhaling


Leave a Reply

More great articles

Credential Stuffing: What You Need To Know

Credential Stuffing: What You Need To Know

Credential stuffing is a type of attack where threat actors try to use previously stolen usernames and passwords on another…

Read Story
What Is Social Engineering Attack: What You Need To Know

Social Engineering Attack: What You Need To Know

What Is Social Engineering Social engineering is a type of cyber attack that instead of relying on vulnerabilities found in…

Read Story
Dangerous browser extensions

Browser extensions: non-obvious danger right under the nose

Browser extensions are a rather useful thing. They make our browsing more comfortable, disabling the ads that can sometimes flood…

Read Story