Hunting a whale, whaling phishing as a threat for companies
Phishing is a widely utilized method by cybercriminals to extract data. Every day, hundreds of companies are exposed to attacks using manipulated messages. Cyber threats tend to evolve and transform into new forms, which is why we currently encounter various types of phishing. We have decided to take a closer look at the one targeting large companies and corporations, known as whaling phishing. What exactly is whaling phishing and how can it harm a company? How does the hunt for a "whale" unfold in the virtual world? You will find out below.
What is Whaling Phishing?
In explaining another article, what spear phishing is, we used the metaphor of the sea. Now we will employ it again, as it fits perfectly with whaling phishing.
Imagine the internet as a vast sea, inhabited by diverse creatures —users. The smallest fish represent private individuals, while larger ones represent employees and managers of small and medium-sized companies. Occasionally, among them, there swims a massive whale — a member of the executive team in a large enterprise or corporation. Such an individual has access to incredibly valuable company data, which hackers are eager to obtain.
As an experienced angler, a cybercriminal decides to hunt for this precious target. If they were to simply cast a line and patiently wait for any fish to bite the bait, we would be dealing with classic phishing. However, they have their eyes set on something special—a whale.
To capture such a massive specimen, a hacker must invest much more effort than when catching smaller fish. A regular fishing rod (meaning a generic phishing message sent to random recipients) is no longer sufficient. They must first spot a specific whale beneath the water's surface and gather as much information as possible about its habits to understand how to catch it. Then, they need to weave a strong and intricate net (a highly personalized phishing message). Great care must be taken when casting this net, as otherwise, the whale might sense the deceit and swim away.
Therefore, whaling phishing is an exceptionally sophisticated variant of phishing, targeting the executive management and high-ranking officials in large companies and corporations. Thanks to its personalization, it proves to be incredibly effective.
What is Whaling Phishing?
Whaling phishing focuses on individuals in high positions within a company. These individuals have access to confidential information that ordinary employees do not. Additionally, they hold decision-making authority, such as approving transfers of multimillion-dollar amounts. Few would question their actions. If they believe the received message and make a decision based on it, the company may face challenging times.
Attackers often impersonate the CEO, CFO, or other high-ranking executives. They send meticulously crafted phishing emails to selected members of the management team. They might request urgent authorization for an important transfer, ask for authentication credentials to access company resources, or request the submission of confidential documentation. At first glance, everything seems highly credible—the appearance and content of the email, as well as professional or personal details that a third party should theoretically not know.
Much depends on the depth of research the fraudster manages to conduct. Typically, they start by browsing through the victim's accounts on social media platforms (e.g., LinkedIn, Facebook), gaining insights into both their work and personal life. People often underestimate how much information can be gleaned from such sources. The targeted individual might not even recall that the information mentioned in the phishing message was something they previously shared on their profile. Consequently, they believe they are communicating with someone who genuinely knows them.
According to Mimecast's data, in 70% of whaling phishing cases, criminals employ domain spoofing. They create an email account with an address nearly identical to the original one, differing by just one letter or utilizing character similarities (e.g., the letter "I" and the numeral "1"). If the recipient doesn't scrutinize the name closely, they might not notice the difference.
Upon receiving a phishing email, the victim has no reason to question its authenticity. After all, the sender's address appears legitimate, and the content is filled with numerous details. This is why a member of the executive management might automatically follow the instructions contained in the email, especially when overwhelmed by tasks and associated haste.
What are the differences between whaling phishing and regular phishing?
1) Target of the Attack: Classic phishing targets random victims. It doesn't focus on individuals but aims at a broad group of internet users, some of whom will fall for the deception, while others won't. On the other hand, whaling phishing zeroes in on a specific decision-maker within a company, such as the CEO.
2) Preparation for the Attack: In the case of regular phishing, a hacker prepares a phishing message that doesn't require too much effort. However, a whaling attack involves meticulous prior research. To increase its chances of success, the criminal invests significant time in getting to know their target—understanding their responsibilities, role within the organization, habits, preferences, acquaintances, and more.
3) Attack Method: Classic phishing relies on a relatively simple, generic message that deceitfully prompts a random recipient to share their login credentials. On the other hand, whaling phishing is built upon a detailed, intricately crafted message that appears as credible as possible. The hacker replicates the company's logo and footer, creates an email address strikingly similar to the official one, and employs the communication style used within the company.
4) Goal of the Attack: In the case of regular phishing, hackers often aim to obtain login credentials, such as for bank accounts or email accounts. On the other hand, whaling phishing is primarily employed to acquire valuable corporate information: confidential documents, trade secrets, plans and projects, access to financial accounts, and more.
5) Consequences of the Attack: Every successful attack poses a threat
to a company and comes with numerous challenges that the victim must contend with. However, classic phishing and whaling phishing greatly differ in scale. A whaling attack targets a decision-maker within a company where hundreds of people may be employed. If sensitive corporate data is compromised, the future of a massive organization is put into question.
What Are the Risks for a Company from Whaling Phishing?
Whaling phishing, due to its sophistication, is significantly more effective and dangerous than regular phishing. It targets large companies, thus potentially causing massive financial losses.
In 2015, Ubiquiti Networks Inc., a network equipment manufacturer, discovered that a subsidiary in Hong Kong had transferred $46.7 million to improper accounts. It turned out to be the result of a whaling phishing attack targeting senior management. The company took legal actions but managed to recover only a portion of the amount, $8.1 million.
Hackers also targeted Mattel, a company, in 2015. The CFO received an email from the newly appointed CEO requesting a $3 million foreign payment to a Chinese supplier. The transfer was made. Shortly after, both gentlemen conversed, revealing that the CEO had not initiated any payment. The incident was reported immediately. Mattel was fortunate; the funds hadn't reached the designated account due to a Chinese holiday, allowing for their recovery. However, not every company can expect such fortunate outcomes.
An effective whaling attack results in more than financial losses. It leads to the theft of valuable data, such as trade secrets, causing a loss of competitive advantage. Such incidents also cause significant reputation damage or even complete loss, eroding trust from customers and business partners. Often, legal consequences follow, including fines, compensations, and legal fees.
How can you protect your company from whaling phishing and other cyber threats? Conduct a free cybersecurity audit to uncover vulnerabilities in your defenses. Additionally, visit our blog regularly, as well as our fan page or LinkedIn profile, where we share valuable insights on cybersecurity.