What is Whaling (Whaling Phishing)? & How to Prevent Whaling attacks?
- by Brittany Day
Imagine this: You receive an email that reads “Hi Joe, I need you to do a transfer for me before EOB. Please email the required details you will need.” Would you question the legitimacy of this message? Would you reply?
Although an email like this may come across as fairly typical and harmless, there is a good chance that it is a whaling attempt which could have devastating consequences for you and your company.
A whaling attack, also known as whaling phishing or a whaling phishing attack, is a highly dangerous and deceptive variation of phishing designed to target high profile executives, or “whales”, in order to steal sensitive information from a company, as those that hold higher positions within the company typically have complete access to sensitive data. The goal is to manipulate the victim into authorizing high-value wire transfers to the attacker. Unlike traditional phishing campaigns, whaling doesn’t involve employees clicking on links or becoming infected with malware. Rather, the goal of a whaling attack is to trick an individual into disclosing sensitive information through social engineering, email spoofing and website spoofing techniques. In comparison, conventional non-whaling phishing is typically an attempt to obtain someone’s login information to a bank or a social media account. The ultimate goal of all phishing campaigns, including whaling, is to scare recipients and convince them that they need to take rapid action in order to avoid consequences such as legal fees, bankruptcy, getting fired from their job, etc.
Whaling attacks are often successful because attackers are willing to devote extensive time and effort to constructing these campaigns due to their potentially high returns. As a result, threat actors conduct in-depth research on victims in order to make their fraudulent emails seen as real as possible. Attackers gather information including birthdays, pictures, hobbies, promotion announcements and relationships via social media, the Internet or compromised email accounts and use this information to craft incredibly convincing campaigns. And these campaigns have the potential to do significant damage. The FBI has reported that since 2013, over $12 billion has been unwittingly sent by 78,617 companies through the successful exploitation of CFOs and finance leaders in the U.S., UK and Europe.
Did you know: Since spear phishing is a highly targeted variation of phishing, whaling may also be considered spear phishing.
How Does a Whaling Attack Work?
Whaling attack involves a fraudulent email or web page that masquerades as one that is authentic and urgent. Whaling messages are crafted to look like a critical business email from someone with legitimate authority.
A whaling attempt may look like a link to a regular, familiar website. When you click on a malicious link which directs you to a fraudulent website, a login page likely prompts you for your username and password. When you try to submit your information into the login fields, you're likely told that what you entered was incorrect and that you should try again. This is the scam!
The information that you entered into the fake site is sent to the attacker and then you are redirected to the legitimate website. This time, your username and password (which were correct in the first place) work just fine. However, the attacker now has your username and password to this website and you have no idea that this information has been compromised.
Other whaling attempts may trick you into downloading a malicious program in order to view a document or image. The program is then used by the attacker to track everything you type or delete things from your computer.
A Serious, Persistent Threat that Does Not Discriminate
Recently, threat actors have been imitating high-level executives in the shipping industry in costly whaling campaigns. However, whaling attacks are a threat to businesses of all sizes across all industries. In one notorious 2016 whaling attack, a Snapchat employee received an email from a threat actor pretending to be the CEO. The employee was tricked into giving the attacker payroll information. Another high-profile whaling attack from 2016 involved a Seagate employee who unknowingly emailed income tax data to an unauthorized third party. This resulted in the compromise of personal information of thousands of individuals. While whaling attacks that target smaller companies are less prevalent in the media, they still occur on a regular basis and can have devastating implications for a small or medium sized business.
How to Recognize a Whaling Email
Whaling emails are crafted utilizing advanced social engineering tactics to target and deceive users; however, there are various best practices that individuals should implement which will increase their chances of recognizing these dangerous emails:
- Evaluate the sender’s email address: Does it look correct? Are there added letters and/or numbers within the username? Does it use the correct domain?
- Check for spelling and grammatical errors in the subject line and the body of an email. Errors can indicate that an email is not authentic. Also, keep an eye out for suspicious subject lines and signatures.
- If an email appears suspicious in any way, make a phone call to the sender to confirm the legitimacy of the message.
The image below is a whaling email which was identified and quarantined by Guardian Digital EnGarde Cloud Email Security. At first glance, it may look like a legitimate email from a CEO or a CFO to an employee; however, there are multiple “red flags” that indicate that this is a whaling email. Some indications that this is a fraudulent email include:
- Suspicious “Reply to” address
- Urgent tone: trying to convince the recipient to act without thinking things through
- No signature
These are several indications that this is not a legitimate email which users may not be aware of or remember to look for in every message that they receive. Thus, an advanced, threat-ready cloud email security is imperative to effective business email protection.
Best practices to prevent successful whaling attacks:
- Check carefully for spoofed email addresses or names. Make sure that the sender’s email address perfectly matches the company name and format.
- Be aware of what you click on. Stop and think before responding to any email you receive.
- Review all URLs you receive via email in your web browser. By determining whether anything looks suspicious, you can greatly decrease your chances of being attacked.
- Prioritize effective security awareness training.
- Review existing processes, procedures and separation of duties for financial transfers and other important transactions such as sending sensitive data in bulk to outside entities.
- Consider new policies related to “out of band” transactions or urgent executive requests.
- Review, refine and test your incident management and phish reporting systems.
- Be wary of any communication that is exclusively e-mail based and establish a secondary means of communication for verification purposes.
- Be mindful of phone conversations. Whaling victims have reported receiving phone calls from threat actors requesting personal information for verification purposes.
- Executives should take special care when sharing information online or on social media sites like Facebook, Twitter and LinkedIn. Details such as birthdays, hobbies, holidays, job titles, promotions and relationships can all be used by threat actors to craft more sophisticated campaigns.
- Invest in a comprehensive, fully-managed cloud email security that provides complete, end-to-end protection and utilized advanced encryption methods including DKIM, SPF and DMARC.
How to Report Phishing:
If you receive any type of phishing email, report it immediately. The information you give is critical in fighting scammers. Follow these steps to report a phishing email:
Step 1. If you received a phishing email, forward it to the FTC at This email address is being protected from spambots. You need JavaScript enabled to view it. and to the Anti-Phishing Working Group at This email address is being protected from spambots. You need JavaScript enabled to view it..
Step 2. Report the phishing attack to the FTC at ftc.gov/complaint.
Do Executives and Managers Really Fall for These Email Scams?
Yes, unfortunately it is extremely common for managers and executives to fall for whaling scams. In the notorious 2008 FBI subpoena whaling campaign, approximately 20,000 CEOs were attacked and about 2,000 of them fell for the whaling scam by clicking the link in the email. They were convinced that doing so would download a special browser add-on to view the entire subpoena. The linked software was really a keylogger that secretly recorded the CEOs’ passwords and forwarded those passwords to the attackers. As a result of this successful attack, each of the 2,000 compromised companies was hacked even further once the threat actors had obtained the information they were after.
It is especially important that finance, payroll, and human resources departments stay alert for these scams, as almost 50 percent of whaling campaigns target the CFO and 25 percent target HR inboxes.
What is your company doing to protect against whaling? Have you or someone you know ever received a whaling email? We’d love to hear your story.
Please reach out to us on social media: Twitter | Facebook
Stay tuned for our next Email Threats Explained blog post on ransomware!
Blog Articles
-
2021
- Thinking Strategically about Email Security in 2021 and Beyond
- There’s a Lot to be Gained with Effective Email Security
- Behind the Shield: EnGarde Cloud Email Security Explained
- Open Source: A Powerful, Yet Underutilized Weapon against Phishing & Zero-Day Attacks
- Buyer's Guide: What to Prioritize in an Email Security Solution
- Buyer's Guide to Office 365 & Workspace Email Security
- EnGarde Cloud Email Security: The Logical Solution to Cyber Risk in Office 365
- Exchange Servers Are Vulnerable - Learn How To Secure Your Email Server Now
- Top Email Security Risks in 2021 - How To Set Your Business Up for Safety & Success
- Ransomware By The Numbers: How Big Is My Risk?
- SMB Ransomware Warnings & How To Prevent an Attack
- Apache SpamAssassin 3.4.6 Release Fixes Two Potentially Aggravating Bugs
- Top Tips and Advice for Staying Safe Online in a Work-from-Home World
- Demystifying Phishing Attacks: How to Protect Yourself Now
- Why Your Business Needs Better Email Security
- Why Ransomware is a Threat to Business
- How to Protect Sensitive Data & Maintain Client Trust in Financial Services Industry
- Why Office 365 Users Are Moving Away from Relying on Default Email Protection Alone
- What You Need to Know to Shield Your Business from Ransomware
- Why You Need DMARC to Secure Email against Spoofing Attacks & Sender Fraud
- Biden's Cybersecurity Efforts Highlight the Power of this Key Technology
- Shortcomings of Endpoint Security in Securing Business Email
- Open Source Utilization in Email Security Demystified
- Limitations in Native Capabilities of Office 365 Email Protection
-
2020
- Effectively Securing Business Email Accounts: Are Employees the Weakest Link?
- Encryption: An Essential Yet Highly Controversial Component of Digital Security
- Business Email Security Redefined: Key Benefits of Securing Your Business Email with Guardian Digital
- 8 Business Email Security Best Practices
- Demystifying Email Encryption: Stop Sender Fraud
- Demystifying Tax Fraud: How to Avoid Falling Victim to Deceptive, Costly Scams This Tax Season
- Coronavirus Phishing Scams are On the Rise - Is Your Business Email at Risk of Infection?
- Dave Wreski: A Passionate Engineer Brings the Power of Open Source to Business Email Security
- FBI: Existing Cloud Email Protection Inadequate Against Phishing, Ransomware
- Email Risk is Universal: Securing Business Email in Every Industry Sector
- The Remote Worker's Guide to Safely Navigating Office 365
- Why Your Business Needs Better Email Security
- Defending Against COVID Email Spoofing Attacks with DMARC
- You’ve Got Mail: How To Tell If It’s Fraud
- Open-Source Security Is Opening Eyes
- Think Like A Criminal: How To Write A Phishing Email
- The Four Biggest Email Threats Your Business Faces Today
- Everything On DocuSign Phishing Attacks in 3 Minutes
- Understanding Payload-Less Email Attacks in Under 3 Minutes
- Demystifying Fileless Malware in Less than 3 Minutes
- Apache SpamAssassin Leads A Growing List of Open-Source Projects Taking Steps to Correct Instances of Racism and White Privilege
- Cyber Risk Is Greater than Ever in the Legal Industry
- Understanding Malicious URL Protection - And Why You Need It to Secure Your Email
- Email Security for SMBs Beyond COVID-19
- Email Risk Is BIG for SMBs - How To Protect Your Business Now
- Why Email Security Is More Important Than Ever in This 'New Reality'
- The Threat of CEO Fraud Extends Beyond the C-Suite
- Top Email Security Trends Putting Your Business at Risk of Attack
- Think Like A Criminal: What You Need to Know About Social Engineering Attacks in 2020
- Managed Services: A Key Element of Effective Email Security that Even Modern Solutions Lack
- How to maintain security when employees work remotely: Advice from Leading Security Experts
- FBI: The 2020 Presidential Election Is Under Attack by Email Scammers
- AT&T Security Researchers Identify a Correlation between Strong Cybersecurity and Business Success
- The Aftermath of a Cyberattack Pt. 1: Phishing Recovery Basics
- It Pays to be Prepared! Ransomware Preparedness & Recovery Basics
- Breaking Down Fileless Malware: Anatomy of an Attack
- Keep the Holidays Merry & Bright - Beware of These Sneaky Seasonal Phishing Scams
- Migrating Business Email: The Hidden Complexities You Need To Know
- SPF, DKIM & DMARC: Definition & How They Secure Email Against Sender Fraud?
-
2019
- Your Current Approach to Email Security May Not Be Enough
- Ways to Prevent Email Account being compromised in a Breach
- Celebrating 20 Years of Revolutionizing Digital Security
- IBM Closes its $34 Billion Acquisition of Red Hat
- Interview with Security Expert and Author Ira Winkler
- What is Phishing Email? How to prevent Phishing email scams?
- Ways Our Business Email Exceed Your Expectations
- Spear Phishing Protection - Definition & How To Recognize Spear Phishing Email
- What is Whaling (Whaling Phishing)? & How to Prevent Whaling attacks?
- Business Email Compromise (BEC) - Definition & Prevention From BEC Attacks
- Wire Transfer Scams Involving Real Estate Transactions: How to Prevent Fraud with Effective Email Security
- Guardian Digital and Mautic: A Dynamic Open-Source Duo
- Email Malware - How to Recognize & Prevent Malware Email Attack
- An Open-Source Success Story: Apache SpamAssassin Celebrates 18 Years of Effectively Combating Spam Email
- What is Spam Email - Types & How to Prevent Spam Emails?
- 2020: A New Decade of Digital Threats - Is Your Business Email Secure?
- Linux: An OS Capable of Effectively Meeting the US Government’s Security Needs Heading into 2020
- Complete Guide on Email Security & Threats Faced by Organizations
- Email Virus - Complete Guide to Email Viruses Plus Best Practices
- What Are Zero-Day Attacks & How Can I Prevent Them?
-
2018
- Guardian Digital Keeps its Customers Protected from Intel Design Flaw
- Security Spotlight: Open Source Email Security Solutions
- Top Six Advantages of Open Source Development/Products
- Python and Bash - Contenders for the most used scripting language
- Guardian Digital Outlines Top 4 Benefits of Choosing Cloud
- Unrivaled Protection Against Today’s Most Dangerous Threats
- Guard Your Email Accounts Against Today’s Most Dangerous Threats
- Security Highlights from Defcon 26
- Linux / Open Source FAQs: Common Myths / Misconceptions
- Email Security FAQs Answered by Guardian Digital
- Guardian Digital Mail Systems: Designed to be Secure Without Fail
-
2007
