What We Do
How we do it
Resources
SECURITY ADVISORIES
May 11, 2022
CVE-2022-26923 - Active Directory Domain Services Elevation of Privilege Vulnerability
THE THREAT Microsoft has disclosed a new vulnerability impacting Active Directory Certificate Services (ADCS) tracked as CVE-2022-26923 (Active Directory Domain Services Elevation of Privilege Vulnerability). If exploited successfully, an authenticated attacker can escalate privileges in environments where ADCS is running on the domain. eSentire is aware of technical details and tooling [2] for…
Read More
View all Advisories →
Company
ABOUT ESENTIRE
About Us
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 1200+ organizations in 75+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
Read about how we got here
Leadership Work at eSentire
LATEST PRESS RELEASE
May 17, 2022
Cybersecurity Leader eSentire Continues Its Commitment to Rigorous Security Standards Earning PCI DSS Certification
Waterloo, ON, May 17, 2022 — eSentire, the Authority in Managed Detection and Response (MDR), maintains one of the most secure and robust IT environments of any MDR provider in the industry. To that end, eSentire today announced that it has received the Payment Card Industry Data Security Standard (PCI DSS) certification, considered one of the most stringent and comprehensive payment card…
Read More
Partners
PARTNER PROGRAM
e3 Ecosystem
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Learn more
ECOSYSTEM PARTNER RESOURCES
Apply to become an e3 ecosystem partner with eSentire, the Authority in Managed Detection and Response.
Login to the Partner Portal for resources and content for current partners.
Search
Resources
Blog — Oct 27, 2017

Whaling: phishing for bigger, more powerful targets

Speak With A Security Expert Now

You’ve probably heard of phishing (and the damage its wreaking worldwide), but have you heard of whaling? In this blog, we discuss everything you need to know about whaling and how it can impact you.

What is whaling?

Simply put, whaling is the targeted phishing of high value clients, such as executives or C-level employees, with access to sensitive information.

How are the tactics different from regular phishing emails?

With regular phishing emails, cybercriminals will cast a wide net hoping to catch anyone, or anything, with no specific goal in mind. These phishing emails are typically easier to spot because they’re less professional, and consequently look more suspicious.

Whaling, on the other hand, is highly customized and personalized. Whaling attempts often include the target’s name and job title, as well as any other relevant information that will help prove credibility.

A whaling email will look like it’s coming from an authority figure or someone you work with and will usually be marked critical or urgent. Attackers are looking to garner a quick reaction from their target, so the content will include a request to perform a task that is typical for the target, such as reviewing a document, approving a wire transfer or installing software.

How popular/effective is this type of attack?

Much like regular phishing attacks, whaling is on the rise. Of course, whaling is uniquely popular because of the huge rewards that can be gained from a successful attack. These rewards typically come in the form of a quick and sizable payout, or access to a company’s internal network and highly-privileged information.

According to a recent report from PhishMe, 91% of cyberattacks start with a phishing email.[1] As individuals become more aware of phishing attempts, cybercriminals become more creative, which is likely why phishing and whaling remain consistently effective. It is important that individuals stay one step ahead of their attackers and pay close attention to any trends.

eSentire phishing campaigns

eSentire runs simulated phishing campaigns for companies to help employees prepare for inevitable real-world phishing and whaling attacks. These phishing tests are sent company wide with the intent of tricking users into opening a malicious document or clicking a link and entering credentials into a fake website.

The campaign will track the number of people who viewed the email, opened attachments or clicked on any links. These tests help companies understand the security awareness of their employees and the vulnerabilities they face. Employers can then use this information to assess the training needs of their employees and provide that training.

What are the biggest takeaways from those tests?

These tests allow us to see how many people on average are susceptible to phishing attempts, and more specifically, which types of phishing emails perform best, thus indicating how dangerous they could be in a real-world setting. Clients are often very surprised to see how many of their employees click on malicious links and enter credentials into a spoofed website.

Of the tests run in 2016, we discovered an average open rate of 20% (that’s 1 in 5!) and a click rate of 18%.

These tests demonstrate that phishing is still a relatively successful way to gather confidential information. No matter how prepared employees seem to think they are, there are still always people that fall for the tests.

What can senior executives protect against whaling?

Executives can protect themselves in the same way employees should. When you, as an employee (C-suite or otherwise), receive an email instructing you to perform an action—especially anything to do with money or software installation—you should start by verifying that the sender of the email is legitimate. The quickest way to do this is to give the sender a phone call to confirm that they sent both the email and request. If possible, avoid responding to the email—if the email account has been compromised, the attacker can provide false verification.

Secondly, always verify any link before clicking on it. If you’re ever instructed to go to a specific website, open a browser instead and find the actual site through a search engine, or manually enter the correct URL. Similarly, if you receive an unexpected document, be very cautious about opening it and never enable or authorize executable code (like macros).

Finally, if you suspect a phishing email, immediately report it to your company’s security team. This holds true even if you already fell for the attack. You’re not expected to be invincible, but the quicker your security team learns about the situation, the more likely it is that they can limit or reduce any damage.

When it comes to cybersecurity, everyone is at risk. The best way to avoid falling for a phishing/whaling attack is constant diligence. Don’t take unnecessary risks online and consider your actions carefully before committing them. If you are in a position of leadership at your company, your responsibility is two-fold: protect the highly-confidential data you have access to and set a good example for the people reporting to you. The phishers are out there; don’t let them catch a whale.



View Most Recent Blogs
Rob Watson
Rob Watson Senior Director of Revenue Operations
Throughout his time at eSentire Rob has held several key positions including Director, Professional Services where he managed a team of security consultants that has performed hundreds of successful information security audits for organizations around the world in legal, financial, healthcare, government, extractive, and technology sectors. Rob also serves as the authority and primary owner for the eSentire project team on issue management resolution, scope change control/approval, and project reporting.