Who doesn’t know the story of Captain Ahab hunting the white whale Moby Dick? Herman Melville’s novel is about a large and rare creature that becomes an obsession. While Ahab (spoiler alert!) perishes because of this obsession, cybercriminals in the real world are unfortunately often successful.
Whaling is a form of phishing that targets the “big fish” in a company, i.e., CEOs and other executives who have power, money, information, and influence.
Whaling is therefore not an attack on the masses, but a highly precise attack that uses psychological tricks, customized emails, and manipulative scenarios. If the attack is successful, the damage to the company can be enormous – both financially and in terms of reputation.
What is whaling?
Simply put, whaling phishing is nothing more than phishing for particularly important or valuable targets. To be a little more precise, whaling is like spear phishing, which is aimed exclusively at executives. As with spear phishing, the attacks are highly personalized and carefully prepared.
The attackers try to match the writing style of the real sender. They mention current business discussions or other information in their messages to give the impression of authenticity. The targets are therefore thoroughly vetted in advance so that customized, credible emails and documents can be created to serve as bait. This is where the OSINT principle (see below) comes into play, i.e., reading publicly available sources.
However, the criminals also spy on the interactions between the sender and the target by hijacking the sender’s real email account. This allows them to send messages directly from there. As with other forms of phishing, the criminals’ goal is to defraud victims of their money, steal sensitive data, or gain access to networks—in order to commit even greater fraud later on.
Phishing, whaling, CXO fraud – what are the differences?
As already mentioned, whaling is a sub-form of phishing. Whaling attacks also feature many of the typical characteristics of phishing emails. When we talk about “conventional” phishing, it targets the general public, as in the case of phishing with fake invoices or phishing with fake car brochures.
Spear phishing, on the other hand, targets individuals, and in some cases entire departments or teams. The approach is significantly different: the degree of personalization is high, and social engineering is essential to make the fake emails appear credible.
Even more problematic is that spear phishing is now scalable – thanks to artificial intelligence. Accordingly, there are also large-scale spear phishing campaigns that appear authentic and personalized despite the mass of emails sent.
CXO fraud is closely related to executive fraud, CEO fraud, fake president fraud (FPF), and business email compromise (BEC). All of these terms describe the use of false identities as the basis for a scam; in CXO fraud (also known as CEO fraud), attackers pose as superiors or other decision-makers within a company. They persuade employees to transfer money to their account. In some cases, they impersonate their own supervisor, in others a customer or supplier, for example to send supposed invoices in their name.
Whaling is often successful
While criminals involved in CXO fraud pose as big fish in order to deceive employees below C-level, whaling attacks target the big fish – and are very often successful, as the following two examples show:
Ubiquity Networks suffered a loss of nearly $47 million in 2015. Attackers convinced the chief accounting officer to make a series of transfers to finance a secret acquisition.
A senior executive at Mattel fell for a fake email that purported to be from the CEO. The executive initiated a transfer of over $3 million, only part of which could be recovered.
What techniques are used in whaling?
Whale phishing uses a mixture of classic social engineering, technical tricks, and targeted research. Here are a few examples of commonly used techniques:
How can I protect myself against whaling?
A key aspect of protecting against whaling phishing attacks is a thorough evaluation of the sender’s reputation. Companies should therefore consistently use the SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting & Conformance) procedures. DKIM and DMARC make it possible to ensure the authenticity and integrity of emails.
A correctly configured DMARC policy (“reject”) prevents fake emails from being delivered. DMARC records are also an effective means of preventing emails from being sent on behalf of your domain by unauthorized senders. Tools such as 25Reports are an indispensable aid in setting up and maintaining your DMARC records. 25Reports takes care of all DMARC monitoring for you – automated, graphically presented, and GDPR-compliant.
In addition, we recommend using modern email security gateways with features such as content filtering, sandboxing, and URL checking. This blocks suspicious emails before they reach the inbox.
In NoSpamProxy, URL Safeguard works together with the metadata service 32Guards to prevent access to links that have been identified as malicious after delivery. This allows links in emails to be rechecked every time they are clicked.
The content filter in NoSpamProxy protects through content disarm and reconstruction: attachments in PDF, Word, and Excel formats are converted into non-critical PDF files automatically based on rules. In addition, active content (JavaScript, Flash) is removed from PDF files. This ensures that the recipient receives an attachment free of malware or ransomware.
Not yet using NoSpamProxy?
With NoSpamProxy Protection and 25Reports, you can reliably protect your company from dangerous whaling emails and benefit from many other security features. Request your free trial now!
