Whale phishing

It is widely known that phishing is one of the greatest threats to our security usually because people on the receiving end of such attacks must not only know that phishing is a thing, but also actively be aware that such attacks can appear when one least expects it.

Whale phishing is a more targeted approach to phishing with the potential of costing one’s organisation an excessive amount of money.

An emerging variant of phishing has emerged in the latest years called “whale phishing”. The term, playing on the words of phishing for big fish, being whales, is a more targeted approach to phishing. Whale phishing exclusively targets prominent individuals in organisations in order to get the highest pay-out, for example, but not limited to, money, intel or influence.

In many ways, the attack patterns are reminiscent of spear phishing but with a very clear indication of what type of individual the immediate victim of the phishing the campaign is targeting. With the potential of costing one’s organisation an excessive amount of money, whale phishing is an important possibility to consider in one’s day-to-day operations.

Recognising the whaler on the horizon

Just like your average phishing attempts, most of them start with a lead. Normally, it could be something as unconvincing as your run-of-the-mill “you have won a million dollars” mails to the sneakier “the IT department needs you to patch your computer” scams.

However, in whale phishing the leads are often much stronger and highly convincing. In other words, these attempts are done by individuals highly skilled in social engineering who have researched your business closely and may know of many ways to infiltrate your flow of information that most people would not even have considered.

In whale phishing the leads are often much stronger and highly convincing.

For example, an attack surface could be a busy department that deals with a large throughput of information. A whale phishing attack might use this opportunity to assume the identity of an accountant to complete a transaction that, in most normal circumstances, might seem completely innocuous to a CEO. By infiltrating the social infrastructure of the organisation, the scammer may bypass any doubt that might have come from if a person of lower authority had given the same request.

A real-life example of this happened in 2016 when the European company Pathé experienced what whale phishing may result in if executed successfully. The company lost over 21 million USD after attackers had posed as high-ranking staff and emailed both the CEO and the CFO requests for a transfer of over 800,000 EUR to the malicious actors with more funds being extracted after resulting in 19.2 MEUR. The CEs failed to recognise the patterns of the attack and hence the company fell victim to whale phishing.

Attackers may use several means of communication to establish a bond of trust and legitimacy.

Whale phishing is not limited to social engineering alone, of course. The examples above are just some of many. Malware can sometimes be in the picture as well as impersonating phone calls and messages through other media. Attackers may also use several means of communication to establish a bond of trust and legitimacy.

Outside of infosec environments, a similar scam called business email compromise (BEC), also referred to as the “CEO scam”, may be more known. This is similar to whale phishing, just that the roles are inversed. In this scenario the scammer assumes the identity of a high-ranking person in order to use that authority to trick those of lower authority in the organisation. It is important that a distinction is made between these attack types as the methods of protecting against them are quite different.

Sinking the whaler

The highly difficult part of dismantling whale phishing attempts is that they are in essence engineered to be a highly planned trap. One person cannot be expected to protect themselves alone from such threats.

It is important that all parts of staff are made aware of social-engineering and how to call the bluff. Awareness training alone can go a long way to counterattack many attempts. Especially for high-ranking individuals, awareness training into the specific attack patterns of whale phishing may be highly beneficial. This training may include noticing spoofed emails, an urgent request to do a hard decision or have such individuals routinely double-check authorisations given, such as a signature.

One may also want to invest in email protection and endpoint protection so that attempts at infiltrating the social infrastructure of the organisation may be discovered at a much earlier stage. Employing organisation-wide multi-factor authentication (MFA) is also a strong protection against an attacker assuming an identity of an employee and may make many social-engineering attempts much more difficult.

Author: Maxine Brandal Vågnes, Security Analyst, Sorasec


Do you want to learn more about whale phishing and how our security experts can help you reduce business risk? Contact us!

Our latest posts