Let’s jump straight into it…
Wondering why cybercriminals often target the boss, rather than someone lower down the chain of command? The answer is simple: Senior staff members staff have the greatest power, access, and influence in a company.
This article will look at how whaling works, and how it fits into the broader cybercrime landscape. Then we’ll take a look at some real examples of whaling attacks.
How whaling works
First, it’s important to understand that whaling is a type of phishing attack. And, broadly speaking, there are two types of phishing attacks.
- Phishing “in bulk” is like using a trawl net. Cast your net wide — by sending as many phishing emails as you can — and you’re likely to catch quite a few unfortunate minnows.
- With spear phishing, you aim your spear — or email — at a specific fish (er, person). Targets are carefully chosen, and emails are carefully crafted with the specific target in mind. Be patient, be smart, and you might catch something valuable.
So what about whaling? Well, whaling is a type of spear phishing.
Whales — or company executives — are the biggest fish in the sea: They’re hard to catch, but if you manage to harpoon one, you could make a lot of money. Scroll down the page for examples of whaling, and you’ll see what we mean.
Okay — whales are mammals, not fish… but you get our point.
A company executive is the ultimate prize for cybercriminals. The boss can access information and resources that no other employee can reach.
Why target company executives?
Ultimately, a CEO or CFO is just as likely to fall victim to a social engineering attack as any other employee. In fact, they’re arguably even more likely to do so.
A whaling attack email usually asks the target to make a high-pressure decision. Here’s an example of the type of email a company executive might receive as part of a whaling attack:
If the boss is busy, stressed, or overworked (and hopefully they’re busy, at least), they’re more vulnerable to these types of cyberattacks. Tessian research suggests that more than half of employees felt they were more likely to make mistakes at work when they were stressed.
Furthermore, higher-level employees have greater access to money and data: the two things cybercriminals want most.
Whaling vs. other types of cyberattack
How does whaling fit into the cybercrime landscape?
There are many types of cybercrime. Some are interrelated; others frequently get conflated.
As we mentioned, whaling is a type of spear phishing: a phishing attack targeted at a specific individual — in this case, a company executive.
Here are some types of cyberattacks that can involve whaling, if they specifically target a company executive:
In other words, a whaling attack can also be a wire transfer phishing attack, for example, — if the attacker aims to persuade the target to transfer money into a bank account they control.
Whaling sometimes gets conflated with another important type of cybercrime: CEO fraud. Here’s the difference:
- In a CEO fraud attack, the attacker impersonates a company executive and targets someone less senior.
- In a whaling attack, the company executive is the target.
Of course, there can be some crossover between these two phishing techniques, too — where a cybercriminal impersonates one company executive and targets another. This occurred in 2017, in a scam that resulted in a $17 million loss for commodities trading company Scoular.
Examples of whaling
Here are some examples of businesses that fell victim to whaling attacks, to give you an idea of how damaging this type of cybercrime can be.
Hedge fund co-founder targeted via Zoom
In November 2020, the co-founder of Australian hedge fund Levitas Capital followed a fake Zoom link that installed malware on its network.
The attackers attempted to steal $8.7 million using fraudulent invoices. In the event, they only got away with $800,000. But the reputational damage was enough to lose Levitas its biggest client, forcing the hedge fund to close.
Aerospace firm fires CEO after $58 million whaling loss
The CEO of Austrian aerospace company, FACC, was fired for his part in a whaling attack that cost the company around $58 million in 2016.
A statement from the company said the CEO, Walter Stephen, had “severely violated his duties” by allowing the attack to occur.
Small business owner loses $50,000
Whaling doesn’t just mean big companies losing millions of dollars — small businesses are affected, too.
In an interview with NPR, “Mark,” the owner of a small real-estate firm, discussed how he fell victim to a targeted account takeover attack.
In this sophisticated cyberattack, a hacker interrupted Mark’s email conversation with his partner, seizing the opportunity to divert a bank transfer for $50,000.
How to Prevent Whaling
Now you understand the dangers of whaling, you might be wondering how you can avoid falling for whaling attacks or – better yet – prevent whaling attacks from landing in your inbox in the first place.
Your best bet? In addition to security awareness training, intelligent email security software.
To learn more about how Tessian solves the problem, check out our customer stories or book a demo. Or, if you’d rather learn more about whaling and be the first to hear about the latest attacks, sign up for our newsletter. (Just fill in the short form below.)