What We Do
How we do it
Our Threat Response Unit (TRU) publishes security advisories, blogs, reports, industry publications and webinars based on its original research and the insights driven through proactive threat hunts.
View Threat Intelligence Resources →
Mar 15, 2023
CVE-2023-23397 - Microsoft Outlook Elevation of Privilege Zero-Day Vulnerability
THE THREAT On March 14th, as part of Microsoft’s monthly Patch Tuesday release, the company disclosed a critical, actively exploited vulnerability impacting Microsoft Office and Outlook. The…
Read More
View all Advisories →
About Us
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
Read about how we got here
Leadership Work at eSentire
Mar 20, 2023
Exertis and eSentire Partner to Deliver 24/7 Multi-Signal MDR, Digital Forensics & IR Services and Exposure Management to Organisations Across the UK, Ireland, and Europe
Basingstoke, UK– 20 March, 2023. Leading technology distributor, Exertis, announced today that it has bolstered its cybersecurity services, adding eSentire, the Authority in Managed Detection and Response (MDR), to its Enterprise portfolio of offerings. eSentire’s award-winning, 24/7 multi-signal MDR, Digital Forensics & Incident Response (IR), and Exposure Management services will be available…
Read More
e3 Ecosystem
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Learn more
Apply to become an e3 ecosystem partner with eSentire, the Authority in Managed Detection and Response.
Login to the Partner Portal for resources and content for current partners.
Blog — Oct 27, 2017

Whaling: phishing for bigger, more powerful targets

4 minutes read
Speak With A Security Expert Now

You’ve probably heard of phishing (and the damage its wreaking worldwide), but have you heard of whaling? In this blog, we discuss everything you need to know about whaling and how it can impact you.

What is whaling?

Simply put, whaling is the targeted phishing of high value clients, such as executives or C-level employees, with access to sensitive information.

How are the tactics different from regular phishing emails?

With regular phishing emails, cybercriminals will cast a wide net hoping to catch anyone, or anything, with no specific goal in mind. These phishing emails are typically easier to spot because they’re less professional, and consequently look more suspicious.

Whaling, on the other hand, is highly customized and personalized. Whaling attempts often include the target’s name and job title, as well as any other relevant information that will help prove credibility.

A whaling email will look like it’s coming from an authority figure or someone you work with and will usually be marked critical or urgent. Attackers are looking to garner a quick reaction from their target, so the content will include a request to perform a task that is typical for the target, such as reviewing a document, approving a wire transfer or installing software.

How popular/effective is this type of attack?

Much like regular phishing attacks, whaling is on the rise. Of course, whaling is uniquely popular because of the huge rewards that can be gained from a successful attack. These rewards typically come in the form of a quick and sizable payout, or access to a company’s internal network and highly-privileged information.

According to a recent report from PhishMe, 91% of cyberattacks start with a phishing email.[1] As individuals become more aware of phishing attempts, cybercriminals become more creative, which is likely why phishing and whaling remain consistently effective. It is important that individuals stay one step ahead of their attackers and pay close attention to any trends.

eSentire phishing campaigns

eSentire runs simulated phishing campaigns for companies to help employees prepare for inevitable real-world phishing and whaling attacks. These phishing tests are sent company wide with the intent of tricking users into opening a malicious document or clicking a link and entering credentials into a fake website.

The campaign will track the number of people who viewed the email, opened attachments or clicked on any links. These tests help companies understand the security awareness of their employees and the vulnerabilities they face. Employers can then use this information to assess the training needs of their employees and provide that training.

What are the biggest takeaways from those tests?

These tests allow us to see how many people on average are susceptible to phishing attempts, and more specifically, which types of phishing emails perform best, thus indicating how dangerous they could be in a real-world setting. Clients are often very surprised to see how many of their employees click on malicious links and enter credentials into a spoofed website.

Of the tests run in 2016, we discovered an average open rate of 20% (that’s 1 in 5!) and a click rate of 18%.

These tests demonstrate that phishing is still a relatively successful way to gather confidential information. No matter how prepared employees seem to think they are, there are still always people that fall for the tests.

What can senior executives protect against whaling?

Executives can protect themselves in the same way employees should. When you, as an employee (C-suite or otherwise), receive an email instructing you to perform an action—especially anything to do with money or software installation—you should start by verifying that the sender of the email is legitimate. The quickest way to do this is to give the sender a phone call to confirm that they sent both the email and request. If possible, avoid responding to the email—if the email account has been compromised, the attacker can provide false verification.

Secondly, always verify any link before clicking on it. If you’re ever instructed to go to a specific website, open a browser instead and find the actual site through a search engine, or manually enter the correct URL. Similarly, if you receive an unexpected document, be very cautious about opening it and never enable or authorize executable code (like macros).

Finally, if you suspect a phishing email, immediately report it to your company’s security team. This holds true even if you already fell for the attack. You’re not expected to be invincible, but the quicker your security team learns about the situation, the more likely it is that they can limit or reduce any damage.

When it comes to cybersecurity, everyone is at risk. The best way to avoid falling for a phishing/whaling attack is constant diligence. Don’t take unnecessary risks online and consider your actions carefully before committing them. If you are in a position of leadership at your company, your responsibility is two-fold: protect the highly-confidential data you have access to and set a good example for the people reporting to you. The phishers are out there; don’t let them catch a whale.

View Most Recent Blogs
Rob Watson
Rob Watson Senior Director of Revenue Operations
Throughout his time at eSentire Rob has held several key positions including Director, Professional Services where he managed a team of security consultants that has performed hundreds of successful information security audits for organizations around the world in legal, financial, healthcare, government, extractive, and technology sectors. Rob also serves as the authority and primary owner for the eSentire project team on issue management resolution, scope change control/approval, and project reporting.