Whaling is one of the most dangerous phishing scams. In 2021, it cost one company US$61 million in just one email - and there are endless other stories of companies becoming victims.
Crafted from scrupulous research and timed to arrive at the precise moment when they are most likely to succeed, whaling emails are a threat that every senior executive should be prepared to face.
Whether you're a senior manager wishing to stay safe, or an IT professional looking to help safeguard your business, this guide will show you how to spot and reduce the risks posed by the most dangerous whaling attacks.
- What is a whaling attack?
- What tactics does whaling use?
- What does a whaling attack look like?
- How can you stay safe from whaling attacks?
What is a whaling attack?
Whaling attacks are spear phishing scams targeted at high-value persons such as senior business executives.
Emails sent out as part of whaling scams impersonate business contacts of the target executive and attempt to dupe them to perform an action, such as transferring funds or giving up sensitive information.
The danger of whaling attacks stems from their customisation to lure in the target with any means possible, and often involve extensive research to allow a highly-believable scam.
As most top executives are constantly busy and receive a multitude of emails every day, without exercising the right caution they are highly likely to fall for a well-crafted scam.
What tactics does whaling use?
Whaling attacks are highly customised scams that make use of whatever knowledge the attacker has on their target. As such, no two whaling attacks are alike. However, there are some common trends that nearly all whaling attacks, at least ones that are likely to succeed, follow.
- Familiarity - Whaling attacks will impersonate a person who the target knows, or someone from a company they deal with. This makes it less likely that the email will raise questions in the eyes of the target.
- Urgency - Whaling attacks aim to compromise the target before they have time to think through the money they are transferring or the information they are giving up. Thus, they create a sense of urgency by mentioning overdue payments, unhappy customers, or another reason why the action needs to be carried out without delay.
- Personalisation - Whaling emails almost always address the recipient by name, and are customised for their exact job role and the type of business they carry out. This is one of the reasons that whaling attacks are so difficult to detect and stop.
What does a whaling attack look like?
Here's an example of a whaling attack. The sender impersonates a known associate of the recipient, and attempts to intercept the business relationship by sending a fake invoice. These type of scams are easy to fall for, as many senior executives pay invoices sent to them on a daily basis, and an extra one is easy to slip in, especially if they impersonate someone already known to the target.
How can you stay safe from whaling attacks?
While phishing scams are impossible to stop completely, it is possible to seriously reduce the chances of falling for one, as well as mitigating the potential damage that one could cause, by taking precautions against phishing.
- Spam filters and intelligent detection - Technical tools such as spam filters and AI-powered anti-phishing solutions can stem the flow of phishing attacks that make it to your company's inboxes. Whaling attacks can be skillfully crafted, however, and evade most technical solutions that would stop other phishing emails.
- Security awareness training - Training senior executives in common signs of scams can help them spot and avoid whaling emails. Focus should also be placed on questioning why someone might have sent an urgent payment request or ask for sensitive information.
- Phishing simulation - Sending out simulated phishing emails to senior executives may not stand out as an obvious solution - but testing their skills with simulated emails can seriously improve senior managers' chances of spotting real scams.
- Multi-factor authentication - Instituting multi-factor authentication is one of the most important steps to mitigate the damage that a breach could potentially cause. It adds another layer of security to accounts, ensuring that even if a senior executive's credentials are breached, their sensitive accounts will remain safe.
Protect your company from whaling attacks today
Senior executives are highly valuable targets for cyber scammers. It's essential that executives understand the risk, and what they can do to help keep their company's funds and sensitive information safe.
usecure's security awareness training and simulated phishing simulation allows senior executives to learn all they need to know about staying safe - and test themselves against realistic scam simulations in their own email inboxes.