The PhishLabs Blog > The PhishLabs Blog What is Whaling Phishing & How Does it Work?
Subscribe

Get The Latest Insights

By Fortra's Agari | February 2, 2023

“Whaling” phishing fraud attacks target the C-suite of a company which creates high risk of extremely sensitive, mission-critical data being stolen and exposed. Fortunately, protecting the organization from these attacks is possible.

Whaling phishing is a type of phishing attack targeting larger, high-value targets, which is why it’s called “Whaling.” Attackers themselves often pretend to be C-suite executives in emails to colleagues asking for personal or company information.

What Exactly is Phishing?

Phishing is when a bad actor pretends to be someone else through either email or text message in order to trick the recipient into leaking their information, or installing malware. These attacks in general have risen sharply over the years and are one of the biggest threats to network security.

Attackers impersonate well-known brands, and in the case of whaling, pretend to be a trusted leader inside an organization in order to trick recipients into clicking on malicious links or sending sensitive information.

Attackers use a number of different methods to hide their true identity when phishing. Some of those methods include:

  • Sending emails from a spoofed domain
  • Sending emails from a lookalike domain
  • Using stolen brand images in the email to convey trust
  • Using stolen email signatures to look legitimate
  • Hiding malicious embedded links inside innocent looking URLs
  • Using scare tactics and urgency to get recipients to act
  • Pretending to be a key figure within an organization to get recipients to act

While there are plenty of methods attackers use to phish unsuspecting victims, there are equally just as many strategies companies can use to implement phishing defenses.

Let’s take a look at the different types of phishing attacks, and how they compare to whaling.

Phishing vs. Whaling – What’s the Difference?

Simply put, whaling is a more targeted form of spear phishing that exploits the trust of recipients by pretending to be a known authority figure within a company.

For example, attackers will impersonate a C-level executive in an organization, and use that authority to pressure employees and colleagues to take a specific action. These actions can range from sending over financial statements, clicking on fraudulent links, or even wiring money to unknown accounts.

Many phishing attacks are done indiscriminately and are sent to thousands of different people at once. Email scams are a numbers game, so attackers will send emails in bulk knowing only a small percent will fall for the scam.

Whaling, however, takes the complete opposite approach, and focuses on researching particularly lucrative targets like enterprise organizations. Attacks are well-planned and often include using scraped or stolen information, such as names, email addresses, and phone numbers, from the company’s website to understand the hierarchy of the organization and to aid them in planning who they will impersonate. This way, the fake messages appear more legitimate.

Example of Whaling Phishing Emails

What does a whaling campaign look like? Let’s run a mock scenario:

  1. After weeks of research, attackers have gathered information on ABC Company and are ready to begin their Whaling campaign. Once they know the names and email addresses of the C-level executives, they are going to attempt to trick their target into opening an attachment that will silently install spyware in the background.
  2. This spyware will steal company secrets, financial information, and even assets that will aid in future whaling campaigns.
  3. Attackers have registered a fake domain that looks exactly like ABC Company — for example, instead of the real abccompany.com, they create abcconpany.com — a misspelling that is tough to spot.
  4. They then use that email address to impersonate the CEO, and send an email to the accountant. The message states that an invoice is overdue and urgently needs to be paid.
  5. The attachment looks like a real PDF invoice, but is actually a payload that will install malware once opened. And, to make matters worse, the account numbers in the fake invoice are to the attacker’s company, meaning not only does the account install malware, but they also send money to the attacker.

Whaling like the above example can have a devastating impact on organizations of all sizes, as the attack focuses on stealing the most sensitive forms or confidential personal data and financial information, such as tax returns and bank account numbers. This can lead to fraudulent wire transfers, stolen identities, and even more coordinated follow-up attacks.

Common Elements of Whaling Phishing Email

  • “I need a personal favor…” — this type of message ingratiates the recipient to the sender so that they are inclined to  think, “Wow, the CEO is asking me directly to help him/her out!” and as a result, they act on it quickly:
  • “I can’t take calls right now…” or “I’m really busy…” — this discourages the recipient from calling the sender and pushes them to reply to the email without questioning first:
  • “Here’s an overdue invoice that needs to be paid immediately!” — this demands that the recipient expedites the sending of payment for an outstanding invoice, most commonly via wire transfer.
  • Emails with links embedded asking the recipient to open/view a document and often require logging in with their credentials.

How Can I Defend Against Whaling?

Preventing phishing, or more specifically Whaling, is never as simple as installing a program. It takes a dedicated phishing response plan in order to remain protective and minimize the impacts of phishing attacks.

Here are a few steps you can take to prevent whaling:

  • Implement email rules that tag external emails as “outside of the organization.” This helps users know right away when an email is coming from outside the company. This capability is often part of a larger data loss prevention (DLP) solution, such as Clearswift.
  • Create policies and procedures for sensitive tasks such as wire transfers or sending financial information. Having someone approve these requests or use a secondary channel helps catch phishing attempts in action before it’s too late.
  • Implement phishing training across your organization. Staff training uses a combination of fake phishing emails along with customized training to measure how knowledgeable staff members are in email security.
  • Invest in professional defense. There are a lot of moving parts when it comes to defending against whaling attacks. Companies can partner with organizations like Agari to build a phishing defense plan that prevents these attacks from ever making it to the inbox.

Email Phishing

In contrast, email phishing is the most common type of email scam, and is often what people refer to when they talk about phishing in general. It’s estimated that nearly half of all emails sent contain some sort of phishing attack.

These emails can vary in messaging but often pretend to be a legitimate company, or person an organization does business with often. Fake password resets, phony invoices and bogus shipping updates are among the most common types of email phishing attacks.

Read more about Email Phishing tactics >

Spear Phishing

Though similar to whaling phishing, spear phishing focuses its attack on a single organization and uses research gathered online to impersonate companies or individuals that a company frequently does business with. Attackers can impersonate either a trusted third party, or someone that works inside of the target company.

These attacks will target single departments or individuals to try and compromise the company. Everything from the subject line, to the name of the sender can all be tailored and customized to be as familiar to the target as possible.

While email phishing may cast a wide net to try and catch many fish, spear phishing uses a single spear to target one very lucrative fish.

Read more about Spear Phishing >

SMiShing

SMiShing is an attack that uses text messaging (SMS) in order to deliver a harmful message. These can be either targeted attacks or widespread phishing campaigns that attempt to trick users into clicking fake links and entering their information.

The most common forms of SMiShing are fake shipping updates, customer rewards, and, especially recently, messages impersonating the IRS regarding stimulus check updates. SMiShing and Vishing (also referred to as Hybrid Vishing) have gained traction over the last few years — in fact, according to the latest Quarterly Threat Trends & Intelligence report from Agari & PhishLabs, these types of attacks have increased 625% in volume since Q1 2021!

Read more about SMiShing >

Vishing

Vishing is when an attacker uses voice communications to steal information. These usually take the form of a voicemail message claiming that the recipient owes money, has been hacked, or is in legal trouble with the IRS. The goal of these scams is the same of every scam, to obtain information or funds illegally.

Vishing can also take place if a user calls a fake number. Malicious websites create fake pop ups claiming a computer has been hacked, and scaring the user into calling the ‘tech support’ number for assistance. In reality, the computer is not hacked but after a phone call the fake tech support scammer will establish a remote connection and either infect the machine, or pretend to fix the problem in exchange for a fee.

Hybrid vishing attacks also occur when a phone number is added to the body of an email, with language designed to trick victims into calling and communicating sensitive information to a fake representative. According to the Q2 2022 Quarterly Threat Trends & Intelligence report again, hybrid vishing reports increased nearly 550% over the one-year span from Q1 2021.

Read more about Vishing >

How Do I Report a Phishing Attack?

If you’ve fallen victim to an email-based scam, or have been sent a phishing email, there are a few simple steps you can use to report it.

If you’ve received a phishing email, you can forward it directly to the FTC Anti-Phishing Working Group at [email protected]. If the message was a text message you can forward it to SPAM (7726).

You can then report the phishing attack by visiting http://ftc.gov/complaint.

The Agari Advantage

Agari offers a turnkey solution to prevent whaling attacks through automatic phishing response, remediation, and containment. The system utilizes both signature-based security as well as behavioral analysis to stop malicious files and bad actors at the same time.

If you’re looking to learn how to keep your business safe from whaling attacks, learn more about Agari Phishing Response.

Related Insights

Response-Based Email Attacks Reach Inboxes More Than Any Other Threat in Q4

In Q4, Response-Based phishing attacks were the top reported threat by end users, according to Fortra’s PhishLabs.

More than Half of All Phishing Sites Impersonate Financials in Q4

Phishing sites impersonating reputable organizations continue to represent the top online threat to businesses and their brands. In Q4, cybercriminals impersonated Financial Institutions on more than half of all phishing sites.

Digital Journal: Hackers Using Steganography Tactics for Malware Attacks

Read Digital Journal’s interview to learn why steganography is increasingly used in phishing campaigns and how security teams can protect against these attacks.