What is a whaling attack? And what can my business do to protect against them?

Also known as CEO fraud, whaling involves cybercriminals sending emails or messages that impersonate a legitimate source, usually a CEO, colleague or trusted business source with the aim of stealing sensitive information like usernames, passwords, or financial information.

What is the difference between phishing and whaling?

Whaling and phishing are extremely similar bar the completely targeted nature of whaling. When cybercriminals use phishing attacks they send out messages to a large number of victims with the hope of collecting as much data or information as possible, practically at random. A whaling attack is specifically aimed at high-ranking targets such as company directors or CEOs and the cybercriminals usually impersonate a senior employee from within the same organisation.

Due to the current trend towards remote working whaling attacks are on the rise. According to the results of the UK Government’s Cyber Security Breaches Survey 2020, 1 in 4 companies have experienced a whaling attack in the last 12 months.

How do whaling attacks work?

Whaling attacks are, unfortunately, all too often highly successful. Recently, toy giant Mattel was the victim of a whaling attack which saw them lose a whopping three million dollars! A top financial executive received an email that requested a money transfer from their newly appointed CEO. The email was actually from a cybercriminal that was impersonating them.

Whaling attacks don’t require a high level of technical knowledge behind them with cybercriminals knowing full well that many employees may not be quite as vigilant when working from home. Such criminals simply carry out a little research into the company, usually by using social media or the company’s own website to view who the high-level contacts are.

Whaling attacks work by targeting high level employees by sending them an email or message which appears to be from the CEO, director or another high-level executive of the business. Sometimes, cybercriminals will even include tailored messages to make them look even more legitimate. These could reference something that has been posted on social media or a public company update. The cybercriminals will typically use (or appear to use) an email address that seems to be from a legitimate source. It could contain a logo or perhaps a link to a website that has been built to replicate the company site.

Due to the perceived legitimacy of these requests, many employees will respond automatically without asking questions, as the message appears to have come from the most senior person within their organisation. People that work in finance are most commonly targeted for obvious reasons… they typically have access to the most sensitive data as well as having the ability to make payments. That said, however, there have also been attacks on cloud storage and file hosting companies as well as e-commerce sites.

The message will always contain personalised information, convey a sense of urgency and will often be written in a similar tone to the language used by the company.

During a whaling attack, the victim will usually be asked to do one of the following:

• Click a link – this will usually take the victim to a fraudulent website or could perhaps download malware onto their device.
• Share sensitive data or information – this will generally be company data regarding employees, customers or a high-level individual.
• Transfer money – By direct bank transfer to the cybercriminals or by sharing bank or credit card details.

What are the consequences of a whaling attack?

As primitive as they may appear, whaling attacks can cause untold damage to businesses.

• Data breaches – This can affect your employees, customers, or intellectual property.
• Financial loss – As well as losing money from fraudulent money transfers, businesses can also be fined for data breaches and may lose customers.
• Tainted reputation – If customers find out that your business has been a victim of a whaling attack it’s unlikely to fill them with confidence! You can quite easily lose customers, suppliers, partners and opportunities due to a lack of trust in your organisation.
• Business disruption – Following a successful whaling attack there’s a chance that your business could be severely damaged. Security measures would have to be updated, customers and clients would have to be notified of data breaches and funds will have to be budgeted.

What can my business do to protect against a whaling attack?

Whaling attacks are so successful because they are personalised and usually appear to be genuine. That said, there are a few ways that can help you identify whaling attacks.

• Double check the email address – It may look identical on first glance but check for double letters or numbers.
• Confidentiality – If the message insists on keeping the information confidential this could be a sign that is’ come from an illegitimate source.
• Urgent! – If the message includes phrases like urgent or is trying to get you to act quickly, this can be a tell-tale sign of phishing or whaling. They want you to act without thinking or considering different options.
• Different bank details – If the bank details you’re asked to send funds to are different from those on record, be on your guard!
• Drastic consequences – Be suspicious if you’re given an ultimatum, such as the threat of legal action if you don’t transfer money immediately.

It’s important that your staff are trained to be on their guard, to be suspicious of anything out of the ordinary and to question whether email are unexpected and/or unusual. If you have an IT department, you could ask them to carry out ‘test whaling’ activities in order to train employees on how to spot suspicious messages. You could also change procedures within your business so that two people are needed to sign off financial transactions. This will decrease the chance of whaling attacks being successful.

Employees should also take care when posting information on their social media accounts. Cybercriminals can use information like birthdays, promotions, hobbies etc. to scam your organisations. For your organisation’s security as much as their own it’s important to encourage employees to keep their accounts private.

Last but certainly not least, your business should incorporate advanced threat protection methods. Your IT department could begin flagging any emails that come from outside your organisation, reviewing them before they’re forwarded on to the recipient. You could also install email security solutions that can automatically detect and warn users of an email that appears to be a threat. They do this by scanning the email content and checking for anomalies like mismatched display names and webpages, link validation and URL screening.

Need help?

The cybersecurity team here at E2E can help your business stay secure against whaling attacks. We can offer managed security packages which feature 24/7 monitoring, incident response and user awareness training. Get in touch with our team today for more information.