Tessian’s mission is to secure the human layer by empowering people to do their best work, without security getting in their way.
Let’s jump straight into it…
Whaling is a type of cyberattack targeting a company’s senior executive, typically the Chief Executive Officer (CEO) or Chief Finance Officer (CFO).
Wondering why cybercriminals often target the boss, rather than someone lower down the chain of command? The answer is simple: Senior staff members staff have the greatest power, access, and influence in a company.
This article will look at how whaling works, and how it fits into the broader cybercrime landscape. Then we’ll take a look at some real examples of whaling attacks.
First, it’s important to understand that whaling is a type of phishing attack. And, broadly speaking, there are two types of phishing attacks.
So what about whaling? Well, whaling is a type of spear phishing.
Whales — or company executives — are the biggest fish in the sea: They’re hard to catch, but if you manage to harpoon one, you could make a lot of money. Scroll down the page for examples of whaling, and you’ll see what we mean.
Okay — whales are mammals, not fish… but you get our point.
A company executive is the ultimate prize for cybercriminals. The boss can access information and resources that no other employee can reach.
Ultimately, a CEO or CFO is just as likely to fall victim to a social engineering attack as any other employee. In fact, they’re arguably even more likely to do so.
A whaling attack email usually asks the target to make a high-pressure decision. Here’s an example of the type of email a company executive might receive as part of a whaling attack:
If the boss is busy, stressed, or overworked (and hopefully they’re busy, at least), they’re more vulnerable to these types of cyberattacks. Tessian research suggests that more than half of employees felt they were more likely to make mistakes at work when they were stressed.
Furthermore, higher-level employees have greater access to money and data: the two things cybercriminals want most.
How does whaling fit into the cybercrime landscape?
There are many types of cybercrime. Some are interrelated; others frequently get conflated.
As we mentioned, whaling is a type of spear phishing: a phishing attack targeted at a specific individual — in this case, a company executive.
Here are some types of cyberattacks that can involve whaling, if they specifically target a company executive:
In other words, a whaling attack can also be a wire transfer phishing attack, for example, — if the attacker aims to persuade the target to transfer money into a bank account they control.
Whaling sometimes gets conflated with another important type of cybercrime: CEO fraud. Here’s the difference:
Of course, there can be some crossover between these two phishing techniques, too — where a cybercriminal impersonates one company executive and targets another. This occurred in 2017, in a scam that resulted in a $17 million loss for commodities trading company Scoular.
Here are some examples of businesses that fell victim to whaling attacks, to give you an idea of how damaging this type of cybercrime can be.
In November 2020, the co-founder of Australian hedge fund Levitas Capital followed a fake Zoom link that installed malware on its network.
The attackers attempted to steal $8.7 million using fraudulent invoices. In the event, they only got away with $800,000. But the reputational damage was enough to lose Levitas its biggest client, forcing the hedge fund to close.
The CEO of Austrian aerospace company, FACC, was fired for his part in a whaling attack that cost the company around $58 million in 2016.
A statement from the company said the CEO, Walter Stephen, had “severely violated his duties” by allowing the attack to occur.
Whaling doesn’t just mean big companies losing millions of dollars — small businesses are affected, too.
In this sophisticated cyberattack, a hacker interrupted Mark’s email conversation with his partner, seizing the opportunity to divert a bank transfer for $50,000.
Now you understand the dangers of whaling, you might be wondering how you can avoid falling for whaling attacks or – better yet – prevent whaling attacks from landing in your inbox in the first place.
Your best bet? In addition to security awareness training, intelligent email security software.
To learn more about how Tessian solves the problem, check out our customer stories or book a demo. Or, if you’d rather learn more about whaling and be the first to hear about the latest attacks, sign up for our newsletter. (Just fill in the short form below.)