Phishing is not just phishing. There are different types, targeting different people or groups. The more targeted the phishing, the harder it can be to detect. Whale phishing is a major threat to businesses, so it is important to be aware of the tactics used by cyber criminals to get you and your colleagues to bite the bullet if you want to avoid becoming a victim of a whale phishing attack.
Whale phishing threatens businesses
More and more businesses around the world are being hit by cyber attacks. Phishing is the most common form of cyber attack, affecting both individuals and businesses. Individuals are targets of the traditional phishing, which is designed with universal strategies to fool as many people as possible.
Cyber criminals have evolved phishing to include several different types of phishing, many of which target specific individuals or groups of individuals - by being customized to individuals, it seem a lot more convincing than the traditional phishing we know.
Spear phishing - attacks targeting specific employees
Spear phishing is a targeted type of phishing. Instead of sending out generic e-mails en masse, cyber criminals carefully research the employees of a company so that they can make fraudulent e-mails or text messages that appeal to a specific person or group within that company.
This requires more work for the cybercriminals, but more people fall for this type of phishing than traditional phishing because the e-mails or SMS appear to come from someone they know and because they contain personal information.
That's why a lot more employees fall into the spear phishing trap - and why you should be cautious of this. Cybercriminals use rootkits to execute their hacking attacks.
Whale phishing - attacks targeting executives
Whale phishing, also known as "whaling", is a type of spear phishing targeting high-level employees, such as CEOs or accounting managers. The cybercriminals also research these individuals to tailor their e-mails or text messages. In addition to containing personal information and a "known" sender, the e-mails or texts also deal with topics targeted at high-level employees.
For example, an e-mail may say that the employee's company could face legal action or have its reputation damaged because of a recent public event or act committed by the employees.
Cyber criminals sometimes use advanced technologies for whale phishing attacks. In 2019, a CEO of a UK energy company experienced a phone call from his boss at a German company asking him to rush a €1.5 million transfer to a company in Hungary.
The CEO recognised his boss's voice and immediately transferred the money to Hungary. However, it was not his German boss who had called, but a cyber criminal who had used artificial intelligence to impersonate the boss. This can be done with a technology called deep learning/deepfake. The technology was good enough to make an accurate representation of the German boss's voice.
The cybercriminal transferred the money from Hungary to Mexico, from where it was redistributed. The company never got the money back.
The purpose of whale phishing
The purpose of whale phishing is to convince victims either to transfer a large sum of money to the cybercriminal or to steal the company's confidential data. Cyber criminals choose to target high-level company employees with whale phishing attacks to achieve their goals. These individuals typically have some decision-making power and may not need approval when making a money transfer or invoice payment which is why they're an attractive target. Another reason to attack these individuals is that they are often willing to protect the company's reputation if they are threatened with information that could harm the company.
How whale phishing attacks are carried out
Cyber criminals carefully select high-level employees before carrying out a whale phishing attack. They research their victims thoroughly to learn as much about them as possible. Cyber criminals use publicly available information such as social media and Google searches to learn about employees' private lives and their role in the company.
Once the cybercriminal has enough information, they can create a personal and convincing e-mail that looks like it came from a colleague or another employee in the company.
Consequences of whale phishing
The consequences of falling victim to a whale phishing attack are the same as any other type of phishing attack, but it can be on a larger scale. The scale gets bigger as directors and senior staff often have greater access to data and financial resources than the general employee. Whale phishing can have huge consequences for businesses of all sizes, as cyber criminals can target both business data, personal data and money.
If a person falls for a whale phishing attack, it can result in a very large financial loss for the company. Furthermore, companies typically spend money investigating the attack and potential compensation to customers. Austrian company FACC lost around €410 million in 2015 after a whale phishing attack.
Loss of company or personal data
Cyber criminals can also gain access to business critical data and sensitive personal data when they use whale phishing - this not only harms the company, but also the company's customers if their data is exposed.
The SoMe platform, Snapchat, was hit by a whale phishing attack in 2016, when an employee transferred current and former employees' personal data to a cybercriminal posing as the CEO.
Damage to company reputation
The damage following a whale phishing attack can be extremely humiliating for the person who was duped by the attack. One consequence may also be that the company's customers or stakeholders lose confidence in the company and therefore choose to stop the collaboration.
Levitas Capital, an Australian hedge fund, was duped in 2020 by a fake Zoom link in an email containing malware. Levitas lost $5.3 million and its reputation was badly damaged. They lost their largest client and the hedge fund later went bankrupt.
How to identify whale phishing
It's important that all employees in a company keep an eye out for the characteristics of common phishing emails, but senior employees, in particular, need to be aware of whale phishing e-mails. Here are some things that can indicate that an e-mail or text is fake:
- Small errors in the e-mail address or URL of a link in the e-mail/text.
- E-mails supposedly sent by your company that don't have your company's domain. Instead, they have Gmail, Outlook or other public email addresses.
- Inclusion of urgency or intimidation in the email or text message.
- Request to verify personal information - "Do you want to verify your password or bank account number?"
- Requesting money transfers or bill payments to foreign accounts.
This post has been updated on 31-07-2023 by Sofie Meyer.
Sofie Meyer is a copywriter and phishing aficionado here at Moxso. She has a master´s degree in Danish and a great interest in cybercrime, which resulted in a master thesis project on phishing.View all posts by Sofie Meyer