In this blog, we are going to discuss the Whaling attack that evolved in the last couple of years targeting someone like a top-level executive like a senior executive at a corporation. Whaling attacks have seen a sharp rise and are expected to go up, as according to the FBI that these attacks resulted in losses of more than $12.5 billion during 2018 (See our other article on Whaling Attacks are on the Rise)
1. What is Whaling?
Whaling is another malicious, naughty member of the Social Engineering family which also includes phishing, spear-phishing, baiting, pretexting, watering holes and tailgating. Whaling is a cyber attack using a more targeted version of spear-phishing concentrating more on a particular individual (usually a high-ranking C-suite executive such as a CFO or CEO) rather than a single organization. The word Whaling comes from the large-size in terms of authority, reputation and seniority within the organization usually with access to the most commercially sensitive, important corporate information and data: the cyber criminal waits with their hacking harpoon to mount their cyber attack and scam – the bigger the target, the bigger they fall and the bigger the illicit rewards of a successful attack with potentially devastating consequences for both the individual, their organization and its shareholders.
2. What are Whaling Techniques?
Whaling attacks are executed via malicious email campaigns or fake websites using simple email phishing templates to fool the innocent, unsuspecting victim into unintentionally reveal sensitive data either personal or from their organization.
When the fraudulent email is received, the victim believes that it looks like it has come from a trusted source and without a second thought, reacts to the email as if it were legitimate. These sources can be from organizations in government, finance, banking, charities, a longstanding supplier or other organizations in the same sector as the victim’s.
These phishing emails look like the real things with the right logo, corporate design ,the right names, correct email addresses, job titles right down to the right social media links such as Instagram, Facebook and LinkedIn. Common business jargon and terminology will be inserted into the phishing emails as well to fool the victim into accepting it as an everyday, normal email with nothing to be feared.
Whaling relies heavily on the psychological manipulation behind Social Engineering to take certain actions, which can be harmful to the individual and their organization A CFO in the midst of a corporate takeover battle will have his defenses down due to stress and the cyber attacker will be aware of their stress and behaviors at this key strategic moment preying on the human emotions of uncertainty, greed, fear and urgency. With carefully selected phishing emails, the scammer can take advantage and strike to gain access to corporate systems and networks dealing a potentially fatal data breach in the information security perimeter and attack surface area.
More phishing attacks are being reported that involve the use of phone calls that follow-up the sending and receiving of the fraudulent email. This social engineering method is known as cyber-enabled fraud and the call is used to both verify the email request and lull the victim into a false sense of security about the phishing email received as they have real-life confirmation that gives the impression that it’s a normal email which needs to be actioned.
3. Whaling Attacks Real Cases
Whaling attacks are breathtakingly simple in planning and execution and can bring the rich promise of big rewards which is leading them to become a highly favored method of social engineering attacks. As these phishing style attacks are so personalised and targeted they are very difficult to identify and record.
What case studies we do have in the public domain are those involving some very high profile corporate victims such as Snapchat, Seagate, FACC, Pathe and Mattel. We examine three of these in more detail:
This social media messaging giant fell victim to a concerted whaling attack in 2016. Despite it being company policy NOT to open on click on suspicious, phishing looking emails someone did, and cyber carnage resulted. The hacker’s phishing email template worked perfectly as the unwitting Snapchat employee was taken in completely by the email purportedly from the CEO Evan Spiegel requesting payroll information. No phishing alerts were sounded and the payroll department employee was duped into divulging their personal information to the attacker, who then proceeded to execute the next stage of their cunning plan and gain access to the payroll information of Snapchat’s previous and present employees. The company maintained that no internal systems were breached and no employees’ information was compromised.
2018 was definitely a year to forget for the cinema company Pathe. The year began with their Twitter account being hacked and used in a cryptocurrency scam. A couple of months later in March, it got even worse for Pathe as they became a victim of BEC (Business Email Compromise) whaling attack when the CFO received a phishing email which led to their Dutch subsidiary eventually losing €19 million ($21.5 million). The initial request for 800,000 Euros received some quizzical looks from the CEO and CFO ,but it was waived through as were the next few similar requests. When the head office raised the subject of these payments did the fraud come to light. The CEO and CFO involved were fired and this whaling attack only came into the public eye after the CEO and CFO took the company to court for wrongful dismissal.
The Austrian airplane parts supplier FACC was the victim of one of the biggest cyber crimes to hit the corporate world. In 2018, a staggering 50 million Euros (54 million US Dollars) was siphoned off in a fraudulent cyber attack. While the exact details of the attack are unclear, FACC made it aware through a quarterly report that its accounting department was targeted and where the fatal databreach occurred. The company’s IT infrastructure, intellectual property rights and production units were unaffected.
4. Techniques to Prevent Whaling
In each of the three cases above, the common cyber attack denominator was that the department with access to financial and payroll information was the target. While The latest Keepnet Labs Phishing Trends Report confirmed that accounting is one of the departments least likely to click on a phishing link, when they do the consequences can be devastating. Industries found to be more likely to click on phishing links are more vulnerable to phishing attacks are consulting, apparel and accessories, education, technology and conglomerates. To help departments involved in financial transactions and to safeguard payroll information, verification steps and other internal protective processes can be added which can help mitigate against fraudulent payments.
5. Techniques to Increase Cyber Security Awareness
Increasing awareness of employees is key to stopping the likelihood of a phishing attack succeeding. With Information Security tools such as the Keepnet Labs’ Awareness Educator platform, it is possible to improve your cyber security posture through targeted and tailored cyber awareness training and education such as gamification. This introduces a competitive element which allows colleagues to measure their response to simulated phishing attacks. Ensure that senior executives at your organisation such as CEO, CFO, CDO, CIO and CISO undergo specific training to mitigate against whaling attacks and prevent them from succeeding.
Cyber security awareness training can be made available not only to the top executives but also all members of an organisation. through phishing simulation software like for example the Phishing Simulator software by Keepnet Labs. Through phishing email templates, attacks can be simulated and results can then be analysed with incident response platforms such as Incident Responder.
6. Sharing Incidents through Communities
Threat Sharing can also help add multiple layers of security needed to stop whaling and other types of phishing attacks by sharing information of incidents through communities of like minded individuals who have common interests to protect the sectors they work in as well as their own organisations. Keepnet’s Threat Sharing platform allows the flagging of suspected phishing links – this practice of monitoring external email on a consistent and regular basis gives an organisation that extra protective layer.
7. Take Care with Social Media
Other essential measures to prevent whaling and other social engineering attacks for executives are to ensure that as little personal information is shared across social media networks. Such information is used by hackers to help create the highly personalised whaling campaigns.
Check out our other cyber security awareness posts
KEEPNET NINJIO is a cybersecurity awareness solution that uses engaging, 3 to 4 minute Hollywood style micro-learning videos to train employees and organizations to become defenders against cyber threats. KEEPNET NINJIO educates organizations, employees, and families against cyberattacks, making them the first line of defense against today’s advanced attacks. Try for free.