What is Whale Phishing and How to Protect Yourself?

Oct. 14, 2020

1:00-2:00AM PST

A Whale Phishing or Whale Attack is spear phishing that directly manipulates high-level executives/C-level employees, such as CEO (Chief Executive Officer) or CFO (Chief Financial Officer). In whaling, the perpetrator directly targets the senior members of an organization with an intent to steal money, personal information, or gain access to the company computer systems for criminal intent. The hacker uses methods like email or website spoofing to dupe the victim into performing certain actions, such as  transferring money or providing sensitive data.

Where a phishing attack is aimed at random individuals, and spear-phishing specifically targets a particular person, whaling not only targets important figures but does it in a way that the fake message appears to be from someone influential or a senior member of the company.

This threat has grown rapidly.  Here are just two examples. An employee in Snapchat’s payroll department received a whaling message appearing to come from the Company’s CEO asking for payroll information on all company employees. The recipient complied and sent company records to the hacker. Mattel, the toy manufacturer, fell victim to whale phishing after its CFO received an email from a hacker masquerading as the CEO requesting a money transfer. As a result, the organization faces a loss of $3 million. 

Protecting yourself and your company from whale phishing is crucial in today’s epidemic of cybercrime. 

How Whaling Works

In whaling, hackers use considerable research from the victim’s available open resources, such as Facebook and Twitter, to craft an email that appears to originate from a senior executive. The message typically contains personal information or references to something the perpetrator extracted from the recipient’s social media posts.

Usually, a whaling email asks the recipient to send confidential information, like bank account numbers or payroll records, to a fake email address. Or the message requests a direct wire transfer. The attacker’s email seems like it comes from an authentic source. It contains a company logo and a URL of a masqueraded website that has  been carefully crafted  to look genuine.

A whaling email may also trick the user into downloading malware to their PC or laptop. From this entry point, the malware worms its way into the network and extracts data without the user knowing what is happening.

How to Identify Whale Phishing?

Whale phishing is very difficult to identify as it is highly targeted to a single person. Hackers go to great lengths to make sure that the email’s appearance, language, and tone look professional so as not to raise the victim’s suspicions. Still, users can look for a few key things to recognize a whale attack.

An urgent tone: A whaling email will typically include an element of urgency to encourage the user to act swiftly without giving any second thoughts. Whaling can also present a threatening tone and promise negative consequences if the user does not fulfill the request.

A request for funds transfer: If a user gets an email to make a wire transfer or share sensitive information or data, they should confirm the request to ensure its authenticity by a phone call or other means.

A hoax email address: Whale phishing email addresses will often be slightly different from the real address of an authentic sender. Always look at the sender’s email address and double-check whether it is legitimate or fake.

How to Protect Yourself from Whale Phishing

Protection against whale phishing begins with educating the company’s key staff members and making sure they are vigilant about the possibility of being hacked. Staffers within the organization should be on alert at all times when they receive unsolicited contacts, specifically in cases of requests for money transfers or sensitive information. Does the email seem unusual in any way? Were they expecting a message, email, or link from this alleged source about this topic?

Furthermore, employees should be educated about the telltale signs of whaling, e.g., fake names and email addresses. If the users hover their cursor over the name of the sender, they can easily see the full address. Senior officers should take care before posting information about themselves on social media, such as Facebook and Twitter. Personal information, including job titles, birthdays, holidays, hobbies, relationships, and promotions can all be used by hackers to create more advanced whale phishing attacks.  

Don’t leave protection against hackers to chance. Trustifi provides a reliable and affordable email security service that can protect you and your company from all forms of cyber attacks, including whale phishing. Contact a Trustifi representative today for a free demo of their email security service and learn how simple and affordable protecting your vital assets can be.

Try Trustifi Today

For Individuals

Our Free Trial Is Forever Free

For Business

See if Trustifi Is Right for Your Organization