Worse Than Phishing: What Is a Whaling Cyberattack?

You may have heard about "phishing" already, but do you know about its more advanced brother, "whaling?" It's a good idea to study up on whaling, as its effects can be far more destructive than phishing!

Let's take a look at what whaling is, and how it can affect you.

What Is Whaling?

A hook through a credit card to represent phishing

The Difference Between "Whaling" and "Phishing"

Whaling, by itself, is not an advanced technique. At a basic level, it's a more complicated means of phishing. It's the logistics behind it, however, that make whaling potentially devastating to users.

Whaling takes the flaws of phishing and refines it to trick people into doing what the hacker wants. The main problem with regular phishing is that they tend to be ineffective. The public has become efficient at spotting a phishing attack, so they're not as effective as they once were.

As a result, hackers have had to escalate their efforts to trick others. People always advise against trusting things sent by friends, family, and co-workers. Hackers exploit this trust to scam people through whaling.

Whaling is when a hacker digitally targets someone in a senior position in a company. Usually, the hacker will harvest information on the person to find out more about them. They may also gain access to the company's network and do some investigating on how the company operates.

How the Information Is Used

Once they have all the info they need on the senior manager, they hack into their account and get a hold of their email or messaging services. From there, they can message the people who work under the manager to scam them.

If the hacker can't gain access to the company's network or accounts, they may instead attempt impersonation. This tactic involves recreating an email address that's very similar to the person they want to impersonate, then sending emails to their employees from it.

This method has a higher chance of getting caught up in a spam filter or being blocked altogether if the company operates a whitelist, but it can sometimes work for them.

How Hackers Benefit From Whaling

Sensitive data that hackers steal when whaling — Confidential papers just shredded for security protection

Of course, a hacker wouldn't go out of their way to do all this without expecting something in return. The primary objective of the hacker is to extract money from the employees by asking them to transfer funds to the "manager."

If a hacker has done his homework, he will impersonate the voice and tone of the manager to make their attack more believable. He'll ask people to wire money to a specific account, claiming that it's for business reasons.

A hacker may attempt something a little sneaker instead. After all, asking people to wire them money could raise eyebrows! Sometimes, information can be worth more than a single payout, and hackers will ask for sensitive data they can use to earn some extra money.

A few years ago, The Guardian reported on a whaling attack where an HR employee received an email from a hacker pretending to be the CEO. The hacker asked the employee for the company's payroll info, to which the HR employee replied with all of the details. The hacker now had payment details of everyone hired at Snapchat.

How Much Damage Does Whaling Do?

Now we know the details on a whaling attack, but how many companies fall for them? Do companies quickly catch out these attacks, or are hackers earning a pretty penny by taking advantage of these businesses?

Forbes reported that, since 2013, an estimated $12 billion had vanished from just under 80,000 businesses through whaling. Not only that, but Varonis said that whaling went up 200% in 2017 alone, showing that hackers are warming to the idea of going big phishing.

How to Protect Yourself From Whaling

Secure Company Policies

Ideally, a whaling attack shouldn't happen in the first place! A good company security policy is an effective means to keep the hackers at bay.

For one, user accounts should be secure enough to prevent hacking attacks. Robust passwords and additional countermeasures against intruders (such as two-factor authentication) should keep the whalers from breaking in.

Companies should also set up their internal email system to suspect any mail arriving from outside the intranet. Even the most convincing imposter email will fall foul to a blacklist and flagged before it can do any damage.

Protect Data and Money Transfers

Ideally, the processes behind sending data and money should be secure enough to prevent it from leaking outside the company. Failure to cover this may lead to disgruntled employees taking a little extra for themselves!

Always handle data and money in the most secure way possible. That way, if someone does get fooled by a whaling attack, the transaction will be flagged by the system before the hacker manages to get their hands on the prize.

Practice Vigilance

When all else fails, and a hacker targets you for a whaling attack, you can do your part by practicing diligence.

A whaler will try to attack your sense of motivation by contacting you from the position of a higher-up. That way, when they ask you for sensitive information, you'll feel the need to send it to them without a second thought.

If a manager you know suddenly starts asking you for cash or personal information, it's worth double-checking the name and email address for any oddities. If something seems off, try contacting the boss outside of email to see if the transaction is legitimate.

Using a Secure Email Service

A whaling attack can only take place if a hacker gleans enough information to perform the attack. If you lock them away from this information, they don't have the tools they need to infiltrate the company. As such, you should analyze how secure your email service is, and if it does a good job defending itself from snooping.

If you're a little stuck on what services to choose, keep an eye out for secure and encrypted email providers that put your privacy first. An email provider that doesn't take care of your connections carries a risk of leaking sensitive data, which a hacker can use to stage a whaling attack.

Staying Safe From Identity Theft

Whaling is the larger sibling of phishing on every level. From the size of the target to the potential rewards it holds, whaling can be a significant problem for businesses and employees alike.

Want to know what kind of information hackers hunt down? Try our guide to the pieces of information that hackers target the most.