Whaling attacks are on a continuous rise. In 2018, the FBI estimated that the cost of such phishing scams to businesses surpassed $12.5 billion, and one in four businesses suffered a whaling attack. A year later, the FBI announced that the frequency of whaling attacks has doubled.
In short, it’s impossible and dangerous to ignore the risk of whaling scams.
Big Phish: How Whaling Attacks Work
In many ways, whaling attacks are similar to ‘regular’ phishing scams. The main differentiator is that they target high-profile executives who offer access to company assets and decisions. Steven Malone, Security Product Management expert, defined hackers’ conduct by saying that “Their new target is senior executives with authority to make large payments for their company and they are prepared to put time and effort into deceiving them.”
There are two prominent types of whaling attacks to focus on:
- Identity theft: A type of attack in which cybercriminals study a specific company executive and impersonate them in order to deceive employees, service providers, and business partners. Research in the field shows that more than half of security professionals are aware of executives at their company who were impersonated in the past 12 months.
- Access theft: These attacks approach executives themselves directly via a scam email, message, or another form of communication. Attackers send a fake link that gives them access to the company’s systems, allowing them to cause damage, make ransomware demands, and more. For example, last year, executives at the Australian hedge fund Levitas Capital were sent a fake Zoom link that allowed attackers to access the fund’s system and take $800K.
Commander Chris Goldsmid, who heads the cybercrime unit at the Australian Federal Police, stated that whaling attacks are a priority area and "Criminals are clearly using email to exploit trusted relationships in business processes."
In today’s online landscape and particularly following the digital transformation created by the pandemic, cybercriminals have their pick of channels to harness, when executing whaling attacks. There are a number of methods they have at their disposal including, personalized emails based on information gathered from public and private channels; social engineering techniques; fake websites created specifically for the attack, social media phishing and more. Investing effort into scamming executives pays off, and hackers carefully tailor each attack to their target.
Generally speaking, whaling attacks don’t require sophisticated technology and can be issued using relatively low-tech tools. Con artists quickly create fake social media accounts used to impersonate executives or scam them, connecting with victims that may include employees and their families. The online world offers a great deal of information that feels authentic enough to mislead victims. Last year, attackers impersonated the Crown Bank CEO's wife and scammed their way to millions of dollars that were not covered by the bank’s insurance. Simple deception is all it takes.
How to Prevent a Whaling Attack
Plenty can be done to detect and prevent these attacks, but it requires a certain level of awareness and the right technology. Here are critical areas to cover:
- 24 hour monitoring: Diligently search the internet for social media accounts that list your executives’ names, or that post their pictures or resumes. Do the same for websites, monitoring the internet for fake pages built around your leadership the same way you do for pages built around your brand.
- Online threat detection and takedown: A comprehensive anti-phishing solution should cover whaling attacks specifically and not only identify the threat but also remove it. Takedown capabilities are a crucial ingredient of any anti-whaling solution for your business.
- Employee training: Employees and mainly high profile executives should learn how to protect their online channels so that personal information isn’t published to make scammers’ lives easier..
As vulnerabilities increase, we recommend downloading our extensive eBook on this topic and encouraging others in your company to do the same. If you want to learn more about whaling attacks and our technology’s ability to stop them, our experts are happy to assist. Together, we can make life safer for executives, employees, and customers.
