Whaling Email Attacks: Examples & Prevention Strategies

  • 12 December 2019

95% of all attacks on enterprise networks are the result of successful spear phishing. But spear phishing can take many forms. One form is whaling, and it’s on the rise.

  • What is whaling?

    Whaling is a kind of spear phishing attack that specifically targets senior executives (the “big fish”) in an organization.

What is the difference between a spear phishing and whaling attack?

A whaling attack is a type of spear phishing attack targeted specifically at an executive like the CEO or CFO. Spear phishing is an advanced phishing attack directed at a specific individual or company, not necessarily an executive.

Whaling attacks are designed to trick people into doing something like sending a wire transfer or clicking on a malicious link. Oftentimes, criminals will gather and use personal information about their target to personalize the email better and increase their probability of success. As a result, whaling attacks can be very convincing and difficult for both humans and email defenses to catch.

It’s important to note that whaling and CEO fraud are not the same, even though they are sometimes used interchangeably. Whaling attacks target high ranking executives; they don’t necessarily impersonate them. CEO fraud (or CxO fraud) is a type of spear phishing attack where attackers impersonate a CxO or other senior leader.

Why are whaling attacks successful?

Whaling attacks can be easy to pull off. Attackers don’t need much capital, special equipment or a particularly advanced skillset. They often just need to invest time into researching a target, which is easy with the proliferation of public profiles on platforms like LinkedIn.

CxOs are incredibly busy and under a tremendous amount of pressure. They most certainly have access to significant amounts of sensitive information, and likely have their attention divided across many parts of the business. Working at a fast pace, on-the-go or outside work hours can lead to CxO’s to make critical mistakes on email and easily be duped into thinking a whaling email is legitimate.

What’s more, CxO’s might be less likely to attend security awareness training due to their busy schedules. More and more companies are investing in training, but busy executives could prioritize educating the staff over themselves, which keeps the business at risk. After all, one employee misstep can have serious consequences for an organization. And CxO’s have a target on their backs due to the amount of sensitive company information that they hold.

How can a successful whaling attack hurt a company?

The motivation behind whaling attacks is commonly financial. But going after an organization’s finances can have wide-reaching consequences, also affecting intangible factors like company morale and brand reputation. Here are some of the main consequences of whaling attacks:

  • Financial loss: Of course, a principal objective is to extract money from targeted organizations. In 2018, film company Pathé lost more than €19m after an attacker posed as the company’s CEO and asked another senior executive to wire funds to a fake account. Austrian aircraft parts manufacturer FACC AG lost €50 million when their CEO fell victim to a whaling attack and wired the money to what he thought was a trusted source. When second-order financial penalties like fines are taken into account too, whaling attacks can prove extremely damaging to organizations’ balance sheets.
  • Data breach: Data breaches are rarely out of the press these days. One of the scams that resonates most with the media is credential harvesting and the stealing of user data. With organizations now holding more information on individuals (employees and customers) than ever before, these attacks can cause immense harm to people and to businesses. What’s more, data breaches are expensive to manage; the average cost of a breach is $3.86 million.
  • Fines: It’s hard to think of data breaches and email attacks without the associated fines brought about by new regulation. In one of the first big GDPR fines, the UK’s Information Commissioner earlier in 2019 announced its intention to fine British Airways £183 million after a 2018 data breach.
  • Reputational damage: It’s harder to quantify on a balance sheet, but after a whaling-induced data breach, hard-won brand reputation could be put at serious risk. An email security failure can negatively affect an organization’s relationships with their customers. Another second-order effect could be knocking employees’ morale and denting confidence, making rebuilding work still more difficult.

How can your organization protect against a whaling attack?

Most organizations rely on Secure Email Gateways (SEGs) to keep inboxes safe. To identify and prevent inbound email threats, like whaling, SEGs commonly rely on the following—

  • Payload inspection like scanning URLs and attachments. This can leave organizations vulnerable to zero-payload attacks and can falsely increase user confidence.
  • Spam and bulk-phishing prevention. Focus on past known attacks as well as basic email characteristics (e.g. domain authentication). These approaches rely on emails that contain blacklisted domains or IP addresses as well as they block bulk emails. These fail to prevent advanced impersonation, which is low-volume and often contains domain and IP addresses that have never been seen before.
  • Rules to prevent impersonation. Rules can prevent basic impersonation attacks (e.g. by detecting newly registered domains, different sender/reply-to addresses, etc) but attackers have learned to evade these rules.

While SEGs can block malware and bulk phishing attacks, rule-based solutions struggle to stop advanced impersonation attacks and to detect external impersonations, common in whaling attacks. External impersonation is the impersonation of someone who belongs to a different organization than the target such as a supplier or vendor.

Tessian Defender detects all possible impersonation types, including the manipulation of internal and external contacts. Tessian Defender stops advanced threats that legacy systems miss.

Tessian Defender’s stateful machine learning retroactively analyzes historical email data in order to understand the difference between safe and unsafe emails being received. By analyzing multiple data points within email headers, body text and attachment data, Tessian Defender can detect and prevent threats in real time with minimal end-user disruption.