Whaling attacks commonly make use of the same techniques as spear phishing campaigns. Here are a few additional tactics that malicious actors could use:
Infiltrate the network: A compromised executive’s account is more effective than a spoofed email account. As noted by Varonis, digital attackers could therefore use malware and rootkits to infiltrate their target’s network.
Follow up with a phone call: The United Kingdom’s National Cyber Security Centre (NCSC) learned of several instances where attackers followed up a whaling email with a phone call confirming the email request. This social engineering tactic helped to assuage the target’s fears that there could be something suspicious afoot.
Go after the supply chain: Additionally, the NCSC has witnessed a rise of instances where malicious actors have used information from targets’ suppliers and vendors to make their whaling emails appear like they are coming from trusted partners.
Phishing involves tricking someone into revealing sensitive information through an electronic communication. For example, the target may get an email from what appears to be a trusted source. The email may claim the target has to take quick action to rectify a problem. To do this, they must click a link in the email. This link brings them to a fake site that appears to be legitimate. It may have logos or fonts used by the real site it is trying to impersonate. The victim, while on the site, is prompted to enter their login credentials. What they enter goes straight to the attacker, who can then go to the real site and use the victim’s credentials to access their account.
This can be done with a bank or other financial account. The attacker may then transfer money to their own account or that of an accomplice.
Spear phishing is much like phishing, but it focuses on a particular victim. A phishing attack may use a list of email addresses, sending out the same communication—or similar ones—to everyone on the list. The attacker may also use details that pertain to the identity of the target to make the communication seem more legitimate.
For example, if the attacker were to see the person use an ATM at a certain location, they could include that activity in the email. They could say something like, “We noticed your card information may have been copied by a card-skimming device when you used the Chestnut Hill ATM on Grove St. yesterday at 12:07 p.m. Please click here to log in to your account and change your password.”
When the victim logs in, they enter their existing login credentials, which are collected by the attacker. When they change their password, nothing actually happens. The attacker could even try to change their password for real by using their correct login information.
Whaling is like spear phishing in that it involves a targeted attack. However, it is different because the attacker impersonates an associate of the victim to gain the victim’s trust. The act of impersonating someone the victim knows differentiates it from spear phishing and phishing.
Examples of Whaling Attacks
How to Defend Against Whaling
Whaling attacks work because executives often do not participate in security awareness training with their employees. To counter the threats of CEO fraud and W-2 phishing, organizations should mandate that all company personnel—including executives—participate in security awareness training on an ongoing basis. Organizations should also consider injecting multi-factor authentication (MFA) channels into their financial authorization processes so that no one can authorize payments via email alone.