Whaling: phishing for bigger, more powerful targets

You’ve probably heard of phishing (and the damage its wreaking worldwide), but have you heard of whaling? In this blog, we discuss everything you need to know about whaling and how it can impact you.

What is whaling?

Simply put, whaling is the targeted phishing of high value clients, such as executives or C-level employees, with access to sensitive information.

How are the tactics different from regular phishing emails?

With regular phishing emails, cybercriminals will cast a wide net hoping to catch anyone, or anything, with no specific goal in mind. These phishing emails are typically easier to spot because they’re less professional, and consequently look more suspicious.

Whaling, on the other hand, is highly customized and personalized. Whaling attempts often include the target’s name and job title, as well as any other relevant information that will help prove credibility.

A whaling email will look like it’s coming from an authority figure or someone you work with and will usually be marked critical or urgent. Attackers are looking to garner a quick reaction from their target, so the content will include a request to perform a task that is typical for the target, such as reviewing a document, approving a wire transfer or installing software.

How popular/effective is this type of attack?

Much like regular phishing attacks, whaling is on the rise. Of course, whaling is uniquely popular because of the huge rewards that can be gained from a successful attack. These rewards typically come in the form of a quick and sizable payout, or access to a company’s internal network and highly-privileged information.

According to a recent report from PhishMe, 91% of cyberattacks start with a phishing email.[1] As individuals become more aware of phishing attempts, cybercriminals become more creative, which is likely why phishing and whaling remain consistently effective. It is important that individuals stay one step ahead of their attackers and pay close attention to any trends.

eSentire phishing campaigns

eSentire runs simulated phishing campaigns for companies to help employees prepare for inevitable real-world phishing and whaling attacks. These phishing tests are sent company wide with the intent of tricking users into opening a malicious document or clicking a link and entering credentials into a fake website.

The campaign will track the number of people who viewed the email, opened attachments or clicked on any links. These tests help companies understand the security awareness of their employees and the vulnerabilities they face. Employers can then use this information to assess the training needs of their employees and provide that training.

What are the biggest takeaways from those tests?

These tests allow us to see how many people on average are susceptible to phishing attempts, and more specifically, which types of phishing emails perform best, thus indicating how dangerous they could be in a real-world setting. Clients are often very surprised to see how many of their employees click on malicious links and enter credentials into a spoofed website.

Of the tests run in 2016, we discovered an average open rate of 20% (that’s 1 in 5!) and a click rate of 18%.

These tests demonstrate that phishing is still a relatively successful way to gather confidential information. No matter how prepared employees seem to think they are, there are still always people that fall for the tests.

What can senior executives protect against whaling?

Executives can protect themselves in the same way employees should. When you, as an employee (C-suite or otherwise), receive an email instructing you to perform an action—especially anything to do with money or software installation—you should start by verifying that the sender of the email is legitimate. The quickest way to do this is to give the sender a phone call to confirm that they sent both the email and request. If possible, avoid responding to the email—if the email account has been compromised, the attacker can provide false verification.

Secondly, always verify any link before clicking on it. If you’re ever instructed to go to a specific website, open a browser instead and find the actual site through a search engine, or manually enter the correct URL. Similarly, if you receive an unexpected document, be very cautious about opening it and never enable or authorize executable code (like macros).

Finally, if you suspect a phishing email, immediately report it to your company’s security team. This holds true even if you already fell for the attack. You’re not expected to be invincible, but the quicker your security team learns about the situation, the more likely it is that they can limit or reduce any damage.

When it comes to cybersecurity, everyone is at risk. The best way to avoid falling for a phishing/whaling attack is constant diligence. Don’t take unnecessary risks online and consider your actions carefully before committing them. If you are in a position of leadership at your company, your responsibility is two-fold: protect the highly-confidential data you have access to and set a good example for the people reporting to you. The phishers are out there; don’t let them catch a whale.