Phishing is not just phishing. There are different types, targeting different people or groups. The more targeted the phishing, the harder it can be to detect. Whale phishing is a major threat to businesses, so it is important to be aware of the tactics used by cyber criminals to get you and your colleagues to bite the bullet if you want to avoid becoming a victim of a whale phishing attack.
Whale phishing threatens businesses
More and more businesses around the world are being hit by cyber attacks. Phishing is the most common form of cyber attack, affecting both individuals and businesses. Individuals are affected by a traditional form of phishing, designed with universal strategies to fool as many people as possible.
Cyber criminals have evolved phishing to include several different types of phishing, several of which target specific individuals or groups of individuals.
Spear phishing - attacks targeting specific employees
Spear phishing is a targeted form of phishing. Instead of sending out generic emails en masse, cyber criminals carefully research the employees of a company so that they can craft fraudulent emails or SMS messages that appeal to a specific person or group within that company.
This requires more work for the cybercriminals, but more people fall for this type of phishing than traditional phishing because the emails or SMS appear to come from someone they know and because they contain personal information.
Whale phishing - attacks targeting executives
Whale phishing, also known as whaling, is a form of spear phishing targeting high-level employees, such as CEOs or accounting managers. The cybercriminals also research these individuals to tailor their emails or SMS messages. In addition to containing personal information and a "known" sender, the emails or SMSs also deal with topics targeted at high-level employees.
For example, an email may say that the employee's company could face legal action or have its reputation damaged because of a recent public event or act committed by the employees.
Cyber criminals sometimes use advanced technologies for whale phishing attacks. In 2019, a CEO of a UK energy company experienced a phone call from his boss at a German company asking him to rush a €1.5 million transfer to a company in Hungary.
The CEO recognised his boss's voice and immediately transferred the money to Hungary. However, it was not his German boss who had called, but a cyber criminal who had used artificial intelligence to impersonate the boss. This can be done with a technology called deep learning/deepfake. The technology was good enough to make an accurate representation of the German boss's voice.
The cybercriminal transferred the money from Hungary to Mexico, from where it was redistributed. The company never got the money back.
Purpose of whale phishing
The aim of whale phishing is to convince victims either to transfer a large sum of money to the cybercriminal or to steal the company's confidential data. Cyber criminals choose to target high-level company employees with whale phishing attacks to achieve their goals, as these individuals typically have some decision-making power and may not need approval when making a money transfer or invoice payment. Another reason to attack these individuals is that they are often willing to protect the company's reputation if they are threatened with information that could harm the company.
How whale phishing attacks are carried out
Cyber criminals carefully select high-level employees before carrying out a whale phishing attack. They research their victims thoroughly to learn as much about them as possible. Cyber criminals use publicly available information such as social media and Google searches to learn about employees' private lives and their role in the company.
Once the cybercriminal has enough information, they can create a personal and convincing email that looks like it came from a colleague or other employee in the company.
Consequences of whale phishing
The consequences of falling victim to a whale phishing attack are the same as any other type of phishing attack, but it can be on a larger scale, as directors and senior staff often have greater access to data and financial resources. Whale phishing can have huge consequences for businesses of all sizes, as cyber criminals can target both businessish data, personal data and money.
If a person falls for a whale phishing attack, it can result in a very large financial loss for the company. Furthermore, companies typically spend money investigating the attack and possibly compensating customers. Austrian company FACC lost around €410 million in 2015 after a whale phishing attack.
Loss of company or personal data
Through whale phishing, cyber criminals can also gain access to business critical data and sensitive personal data, which not only harms the company, but also the company's customers if their data is exposed. Snapchat was hit by a whale phishing attack in 2016, when an employee transferred current and former employees' personal data to a cybercriminal posing as the CEO.
Damage to company reputation
The damage following a whale phishing attack can be extremely humiliating for the person who was duped by the attack. One consequence may also be that the company's customers or stakeholders lose confidence in the company and therefore choose to abandon it. Levitas Capital, an Australian hedge fund, was duped in 2020 by a fake zoom link in an email containing malware. Levitas lost $5.3 million and its reputation was badly damaged. They lost their largest client and the hedge fund later went bankrupt.
How to identify whale phishing
It is important that all employees in a company keep an eye out for the characteristics of common phishing emails, but senior employees in particular need to be aware of whale phishing emails. Here are some things that can indicate that an email or SMS is fake:
- Small errors in the email address or URL of a link in the email/SMS
- Emails supposedly sent by your company that do not have your company's domain. Instead, they have Gmail, Outlook or other public email addresses
- Inclusion of urgency or intimidation in the email or SMS
- Request to verify personal information - "Do you want to verify your password or bank account number?"
- Requesting money transfers or bill payments to foreign accounts
Sofie Meyer is a copywriter and phishing aficionado here at Moxso. She has a master´s degree in Danish and a great interest in cybercrime, which resulted in a master thesis project on phishing.