Cyber crime is becoming a threat that grows ever more serious as our personal and work lives become more digitized. Hackers are more determined than ever and are coming up with increasingly sophisticated malware to infect computers and hurt users.
One of the most damaging techniques cyber criminals use to meet this dishonorable goal is whaling attacks. These can be defined as a type of phishing attack targeted at a company’s top executives, usually the chief executive officer (CEO) or the chief financial officer (CFO).
This article explores what whaling attacks are and the connection this approach has to phishing attacks. We also spell out why hackers use whaling and what they hope to gain by doing so.
Phishing and How Whaling Attacks Work
It’s easier to understand what a whaling attack is, why it’s used, and how it works by first looking at phishing attacks. A phishing attack is a social engineering security attack that tries to trick targets into revealing sensitive or valuable information. Phishing scams usually target a user’s financial information (like their bank account and credit card details), login credentials, company data, or anything else that could potentially be valuable.
Cyber criminals who use phishing attacks are particularly interested in large organizations and companies. The sheer size and bulkiness of these targets provide ample opportunity for attackers to find holes in their security systems.
One employee falling to a phishing scam could put the entire organization at risk, which is has prompted many to invest in data security and cybersecurity awareness training for employees. Phishing attacks can be divided into two categories:
Phishing in Bulk
This can be likened to fishing with a trawl net: Hackers cast their nets wide by sending out thousands of emails, hoping to reel in a few hapless minnows who will click on a nefarious link or take some other ill-advised action.
This type of phishing attack is more targeted and aimed at one person. You can liken it to harpoon fishing, which uses a long spear to target a single large fish. Hackers target a carefully chosen target, and they craft emails with the target in mind. The idea here is to wait patiently until the big fish you targeted falls into the trap.
Whaling is a spear phishing technique, and the whales in this case are members of a company’s C-suite. They are the biggest fish in the sea, and thanks to the fact that they normally receive comprehensive cybersecurity awareness training, they are the hardest to catch. Hackers who manage to harpoon one, however, stand to make a lot of money.
Why Whaling Attacks Target Company Executives
Cyber criminals covet company executives because they have access to a higher level of information and resources than do lower-placed employees. Executives are also particularly vulnerable to well-crafted emails that put them under added pressure, given the high-stress nature and demands of jobs at that level.
Whaling attacks usually try to influence targets to make a high-pressure choice. Examples of email subject lines could include:
- “Your account will be closed if you do not log in immediately”
- “Fwd: Urgent: Wire Transfer”
- “I forgot to forward this earlier, now we’re almost out of time”
Whaling attack emails are more sophisticated than your regular phishing email, making them particularly persuasive. Targets can typically expect:
- Personalized content containing information particular to the targeted organization or individual
- A sense of urgency aimed at pressuring the target into taking the desired action
- Convincing and proper use of business language and tone
These elements of a whaling attack email make them seem authentic and more likely to convince their audience.
Whaling Attacks Vs. Other Types of Cyber Attacks
The cybercrime landscape is complex and ever-evolving, so it’s common to find different tactics in one attack. Whaling is a separate kind of spear phishing attack against a specific highly placed executive, but it can be part of a larger whole.
Some types of cyberattacks that can involve whaling if they specifically target a company executive include:
Business Email Compromise (BEC)
This is a phishing attack that involves a compromised corporate email address.
Wire Transfer Phishing
This is a phishing attack that involves invoice fraud.
This aims at stealing login credentials.
This is phishing done through SMS.
This takes place via voice, such as through phone calls or VoIP solutions.
A whaling attack might also be a business email attack meant to trick the receiver into sending money into a particular account under the attacker’s control.
A whaling attack can sometimes be confused with another cyberattack, CEO fraud, but they’re different. The attacker in a CEO attack impersonates a company exec and targets someone less senior, using the authority of the person they’re imitating to get what they want.
Hackers never miss a trick, though; they often merge CEO fraud with whaling by impersonating one company executive and targeting another, carting away huge sums of money whenever their efforts prove successful.
Consequences of Whaling Attacks
The consequences of a whaling attack are usually devastating to both the individual and the organization they belong to. They can also have different goals in mind. They include:
A considerable percentage of whaling attacks are motivated by financial fraud, wherein an attacker impersonates a supplier or partner, requesting a transfer of funds.
Loss of Data
Information is attractive to hackers, and they frequently use whaling attacks to get it. Data breaches often result when hackers trick members of a C-suite into clicking through to websites infected with malware.
Loss of Reputation
Individuals and companies stand to lose significant respect should they ever fall victim to a whaling attack. Financial institutions like hedge funds, for example, could lose customers who no longer have faith in their ability to keep their capital safe.
Some individuals and organizations are hit so hard by these consequences that they never recover, sometimes shutting down. That’s why it’s better to prevent a whaling attack than to fix the damage caused by one.
One Step Toward Better Cybersecurity: Digital File Shredding
Whaling attacks can be devastating, but there are ways to minimize the damage they can cause. The Shred Cube digital file shredder can help you keep sensitive data from the reach of hackers.
Our innovative USB shredding tool has an intuitive drag-and-drop interface to easily delete files permanently. Contact Shred Cube for more information about how digital file shredding can protect your information.