Whaling attacks see hackers target senior executives, using social-engineering, in order to trick them into transferring funds or bank details.
Whaling is often spoken about in the same breath as phishing - but a whaling scam is typically far more sophisticated and harder to clock. In this guide, we’ll define what a whaling attack is, take a look at common techniques, and explain what can be done to identify and deter whaling attempts.
What is a whaling attack?
Essentially, a cybercriminal will assume a false identity - a CFO, senior management, or someone similar - and leverage this false position when targeting an important person in a company. This person will often have access to sensitive information (both company and customer), and it’s this information that the cybercriminal is after, as well as money.
It’s not as simple as demanding cash from these higher-ups, though. The cybercriminal will often encourage the target to click on a link (which then takes them to a malicious site), divulge further details about the business or staff (to propagate more attacks), or initiate a transfer of funds.
Hackers intending to commence a whaling attack will often look toward the financial sector, but have recently also shifted their attention to e-commerce companies, cloud storage sites, and other online services.
Whaling is doubly dangerous as it doesn’t require an in-depth knowledge of hacking - only attention to a person’s social media and some incredibly persuasive writing. The impact such an attack can have on a company, however, is massive. Even tech giants like Snapchat are not immune to whaling scams. In 2016, an employee was targeted and coerced into handing over payroll data.
But why is it called whaling?
To understand whaling, we have to define phishing - this a cyber attack wherein a hacker sends out a ton of emails in the hopes that some folks will click the links inside. If they do, they’ll likely be redirected to a malicious site that’s primed to snatch their personal data.
Whaling, however, hones right in on one target. This target is often a high-level, influential person, and the hacker will assume a similarly "important” identity to contact them. So, "whaling” refers to the value of the "catch”!
Signs of a whaling attack
So, now we’re familiar with what a whaling attack is, how can you spot one in the wild? Typically, a hacker attempting such an attack will employ a few of the methods below to avoid suspicion and trick a target into transferring funds.
🤳Scouring social media
A hacker can glean an awful lot of information about a target by combing through their social media pages. Then, this can be used to craft a highly personalized attack. Inf
ormation like job title, geographical location, and even details about friends and family can all be used by a hacker - either to create false familiarity or to intimidate. Check out our social media privacy guide for some top tips on how to secure your accounts.
🧐Attention to detail
And it’s not just the target themselves that a hacker will familiarize themselves with. In order to create a tailored attack, a hacker will take on an appropriately business-like tone in any correspondence, and may pepper emails with references to "colleagues” in the field as well as industry terms. All of this makes it that much harder to tell that the message has come from a malicious outsider, and not a peer.
👩💻Legitimate-looking links and sites
A wiley hacker will create an email address that doesn’t look suspicious - in fact, you might be forgiven for thinking it belongs to a legitimate company. Clicking on any logos or links in the hacker’s email could take the target to an exquisitely made website, created for the sole purpose of deceiving them, and riddled with malware ready to collect information or infect the target’s device.
☎️Phony phone calls
Wiley hackers create bespoke sites, but the more brazen ones will actually follow-up whaling emails with a phone call if they have the applicable contact details. A phone call lends legitimacy to the email and gives the interaction a "human” touch which, as a result, could make the target less suspicious, and more willing to go along with any requests.
How to prevent whaling
Whaling attacks are, by their nature, sophisticated and subtle, which doesn’t make it easy to identify them. But, staff members can take certain measures to ensure they’re aware of the dangers of whaling - and the telltale signs of an attack in progress.
- Ask yourself if you’re familiar with the sender of any unsolicited emails - particularly if the email content mentions finances of any sort, or requests for information.
- Examine email addresses and unexpected links by hovering over them to view them in their entirety - don’t click on anything you’re uncertain of, and don’t be afraid to run company names through Google to see if you’re being contacted by a known scammer.
- Be mindful of how much information is shared on social media - it’s fun to share birthday snaps and news about internal promotions, but it’s also data a hacker can use when crafting their targeted emails.