What is whaling? Here’s how hackers catch the big fish

Ray Fernandez

Aug 29, 20235 min read

What is whaling? Here's how hackers catch the big fish (Header image)

It’s a well-known fact that when fishing, you maximize your chances by casting a wide net. On the other hand, if you’re hoping for bigger fish, the best tool is a spear. In theory, you could even try to harpoon a giant whale. When it comes to cyberattacks, criminals use the same approach in phishing, casting a wide net to attempt to trick as many users as possible into giving away their passwords. But when phishing is not random, but customized to target specific persons, it is called “spear phishing.” Whaling is a subset of spear phishing scams. But, what exactly is whaling in cybersecurity? Let’s dive into the issue. 

So, what is whaling in cybersecurity?

Whaling is a type of phishing in which an attacker designs an attack with a specific victim in mind. Common targets are celebrities, public figures, senior-level employees and C-suite executives in the workplace, and other high-level individuals.

This type of attack is more complicated to produce than ordinary phishing attacks. Still, the benefit for hackers is that if they succeed, the reward is much higher. Through these kinds of attacks, cybercriminals can gain access to precious data, large financial assets, or trade secrets.

Whaling and phishing: what’s the difference?

The number one difference between phishing and whaling is the target. Phishing campaigns are massive, generic, and done in bulk. These campaigns do not usually require any kind of previous research on the intended victims. 

On the other hand, to run spear phishing attacks, hackers must do exhaustive research on their targets and learn as much as possible about them in order for their attacks to work. While generic phishing campaigns may send hundreds of millions of malicious emails in a single day, the number of attacks in whaling is usually very low, as they zero in directly on high-priority targets.

Other differences between whaling and phishing include the level of technology used and who the attacker impersonates. Whaling technology needs to be more sophisticated than simply hacking a Gmail account, as attacks usually target systems with higher levels of security. Finally, in whaling attacks, criminals may take time to build trust with a victim before attempting to exploit their security weaknesses. As such, the psychological effort required to take part in whaling schemes is quite high.

Notorious examples of whaling attacks

The consequences of whaling attacks are severe, ranging from reputation loss to bankruptcy. There have been several well-known cases in the past years, and unfortunately, the number of whaling attacks continues to rise.

Some famous attacks include:

  • Levitas Capital: In 2020, the Australian hedge fund Levitas Capital was forced to close after a major client, Australian Catholic Superannuation, withdrew its funds. The attack began when the fund cofounder opened a fake Zoom invite. The fund lost approximately $800,000 in an attack that targeted $8.7 million.
  • FACC: The CEO of FACC, a supplier of Boeing and Airbus, was fired in 2016 in the wake of an attack that cost the company $58 million. The CEO, who had significant access to secure systems, was targeted in a whaling campaign.
  • Mattel: In 2015, a finance executive from toy giant Mattel wired $3 million to a hacker after receiving a fake invoice that impersonated the new CEO.
  • Snapchat: Snapchat’s payroll department was hit with an attack in 2016. The attack began when the department received a fake email impersonating the company’s CEO asking for confidential payroll information.

How to protect yourself from whale phishing

Due to the advanced nature of these threats and the high risks involved, awareness is essential to preventing breaches. And workshops and training sessions on general phishing scams aren’t enough. High-level workers must be educated on the specifics of whaling attacks. This requires added security tips and technologies.

Train top executives

Executives in the workplace who operate with the support of dedicated security teams may feel like they can skip cybersecurity trainings. However, it’s essential that they are educated on this issue. Whaling cyber awareness involves training and workshops that are designed to give C-suite executives and high-level workers the security tools they need to fight this rising trend.

At-risk individuals need to know how to verify a message’s source, links, and the sender’s address. Additionally, they must know how to identify fake websites and detect suspicious activity. Training sessions should also include outlines on how to keep up to date with security software and when to update.

Executives must also know how to protect their personal information and keep their private life private. Because whaling involves research on the target, the knowledge of how to handle personal information with care is essential. And top-level workers must know what to do before, during, and after an attack.

Level-up antimalware and support

It’s critical for organizations to keep up to date with the latest protection. IT and security teams should level-up their antimalware and security initiatives. Running penetration tests, where white hat hackers simulate attacks, is also very useful.

Additionally, automated phishing and whaling simulations can help security and executives alike understand what they are up against. Organizations must ensure that they have support and security solutions in place to shut down an attacker before the real damage is done.

Enforce data and social media policies

Companies should have strict data and social media policies for their workers, especially those who lead the organization. Who can access data? What data can they access? There are questions that leaders must be able to answer. More importantly, data policies should consider data encryption in rest, use, or transit. Encryption prevents data exfiltration and theft, even when an organization is breached.

Finally, what gets posted online is also very important. Hackers behind attacks do most of their research on their targets on social media, so it´s wise for workers to know the good practices for posting content online.

What should you do during a whaling attack? 

If you are a victim of whaling, follow these steps:

  1. Notify your workplace’s security team immediately.
  2. Go offline. Hackers use breached devices to spread through the network. Go offline if your device has been breached.
  3. Find a secure computer where you can reset your passwords and back up your data.
  4. Keep in touch with your company’s security team and follow their instructions.
  5. Notify the relevant authorities, your board, or coworkers.
  6. Run malware scans and launch contingency security plans.

The knowledge that cybercriminals could specifically target you may feel overwhelming and scary if you are a top-level executive or a very well-known figure. However, simple security steps can help you prevent attacks and understand the steps to follow during and after. Overall, prevention and proactive defensive security is the answer for whaling. 

Ray Fernandez Ray Fernandez
Ray has been covering tech and cybersecurity for over 15 years. His work has appeared on TechRepublic, VentureBeat, Forbes, Entrepreneur, and the Microsoft Blog, among others.