Whaling is a specific form of phishing that targets the “big fish”, i.e. people who hold important positions high up in the company, from whom cybercriminals expect to be able to gain access to particularly sensitive data and/or other assets. Due to its focus on upper-level management, whaling is also known as CxO fraud.
According the FBI, whaling accounted for over 26 billion dollars in global damage between 2016 and 2019, and between 2018 and 2019, whaling attacks increased by more than 100 per cent.
While common phishing attacks are aimed at the masses and spear phishing attempts to trick smaller groups of people by sending them falsified e-mails and/or links to bogus websites, whale phishing is an elaborate fraud that is carefully tailored to C-level positions. Favoured victims are those in higher positions in finance departments, because if an attack on them is successful, the result could be losses amounting to several million euros.
Whaling normally involves attackers pretending to be a high-ranking member of an organisation (e.g. a CEO or finance manager), and using their apparent authority to gain access to sensitive information and/or other assets. Employees with a greater sphere of influence are targeted because it is expected that they have access to all areas of a company.
Whaling is based on the assumption that the targets won’t ask questions as the request comes from a person holding an equally high position.
Criminals either use e-mail spoofing or trick their victims to visit a website that has been specifically manipulated for the purposes of the attack. In either case, the initial contact is made from what appears to be a reliable source. As soon as the victim has taken the bait, the attackers attempt to elicit personal or company information from them, or convince them to transfer large sums of money.
Whaling attacks are so dangerous because they are considerably more elaborate than normal phishing attacks. Many times, the e-mail doesn’t just include a near-perfectly falsified header, but also detailed personal information about the victim.
This information generally comes from social media accounts. It can, therefore, happen that a high-level finance department employee receives an extremely well-faked e-mail (apparently) from the company CEO, in which there’s a bit of small talk about the last Christmas party before the instruction to transfer some money or share some confidential information.
Recipients of such e-mails are put in a difficult situation. The (apparent) CEOs request may seem out of the ordinary or maybe this method of communication is unusual for the company. The problem is, however, that the sender seems genuine. After all, they have information, which the recipient believes could only be known by someone at the company.
Secondly, it would take a lot of guts for most employees to decline a request made by a CEO or other high-ranking member of the management. For these reasons, the probability that the employee will do as asked by this apparent CEO is quite high.
Whaling attacks are more dangerous than common phishing because of the amount of detail that goes into them. As the targets tend to be the biggest fish in the company, attackers spend plenty of time carefully planning their attacks, with the result being nearly perfectly falsified e-mails and highly specific content. In some cases, attackers even set up a dedicated e-mail server and register a new domain that is very similar to the target domain.
As soon as the victim is reeled in, attackers can look forward to large sums of money and valuable information, such as data on customers, business processes, employees and finances, which is then usually sold on. There are some occasions, however, when the attackers will use it themselves to extort even greater amounts of money.
All whaling attacks have one thing in common, and that is that the demand made in the fake e-mail seems plausible to the victim. The following are just a few examples of potential scenarios:
The biggest problem with a fraud that relies on social engineering is that technical measures only offer a modicum of protection. Of course, methods such as e-mail encryption and flagging or a sender policy framework can help to identify fake sender addresses, but more often than not, attackers find ways around these defences.
That’s why businesses need to invest in raising awareness among their employees and set clear guidelines for dealing with sensitive data. The following are good ways to spoil the phishing expedition:
Start where your attackers will strike first—with your employees. Cyber security training helps employees to keep security at the forefront of their minds while working, and respond to threats appropriately. Life becomes a lot trickier for attackers when employees are aware of the risks posed by whaling and phishing. There are also some training courses that simulate whaling attacks and have been specifically developed to raise awareness of the danger among C-level mangers.
We all think our social media channels are a personal matter, but information that’s shared publicly often open the door to cybercriminals. This is why businesses should put a focus on social media and make sure their employees know what and how much is shared on Facebook, etc. C-level managers in particular should be careful what information they put out there. The more detailed the publicly accessible information is, the easier it is for a person’s identity to be stolen.
Every company must have clearly defined processes and policies for sharing confidential information and carrying out financial transactions. These processes should include one or more layers of authentication and could, for example, lay out that employees are unable to make any transfers until they’ve been cleared to do so over the phone or in person.
It is furthermore advisable to qualify all corporate data and information so that, for example, you can specify that all information deemed critical must not be shared without the prior consent of the data owner.
Whaling targets employees high up in businesses because the attackers assume that a member of upper management has access to almost every part of the company. In most instances, this assumption is correct as most businesses tend to give their top-level managers extensive access permissions, regardless whether they need them or not. However, the more access rights a whaling victim has, the greater the consequences of a successful attack.
Businesses therefore need to rethink their strategies and adopt a principle of least privilege to ensure that even the highest level managers have only the access rights they really and truly need.
The principle of least privilege is the idea that employees should only have the bare minimum access rights for data and resources at any one time. And that includes the mangers. CEOs and CFOs should also only be able to access the data and resources that they really need to perform their job.
For the principle of least privilege to prevent the worst case scenario in the event of a whaling attack you have to make sure that it is applied consistently throughout the company.
Depending on how many employees your business has, this can be done manually, whereas businesses with hundreds of IT users and/or complex internal workflows and processes that demand a multi-layered access management structure should automate the task.
The tenfold access management software doesn’t just assign permissions automatically and across the entire system (including Active Directory and SAP) in accordance with the principle of least privilege, but also helps you streamline your existing access structures.