Whale Phishing
Exploring Whale Phishing, a technique used by Cybercriminals.
Why should organizations care?
How do companies prevent this cyberattack being successful and how does a security awareness program help?
Here at SKALES we’re keen to raise security awareness, so that others do not become a victim to cybercrime. Phishing, Whale Phishing in particular is a dangerous and highly effective technique used by cybercriminals. As security professionals, we need to understand this attack type, learn how to counter it, and inform all employees, from the top to the bottom.
- What is Whale Phishing?
- Why is Whale Phishing a High Risk Cyber Attack?
- Examples of Whale Phishing
- How Security Awareness and building a Strong Security Culture can Prevent Whale Phishing?
What is Whale Phishing?
To first understand Whale phishing, you must understand phishing. Head over to 25 Terms for Cyber Security Awareness Training to understand what phishing is all about.
Whale Phishing is a specifically crafted phishing message, designed for the C-board (“Big fish”) of an organization. This will include individuals such as the Chief Executive Officer (CEO) or Chief Financial Officer (CFO). Often personal assistants have access to their inbox, so this often includes them too.
We have witnessed attacks that masquerade as the CFO, advising the personal assistant to transfer funds. These attacks are timely, often planned to coincide when an individual is out-of-the-office and uncontactable.
Whale Phishing is a specifically crafted phishing message, designed for the C-board (“Big fish”) of an organization. This will include individuals such as the Chief Executive Officer (CEO) or Chief Financial Officer (CFO). Often personal assistants have access to their inbox, so this often includes them too.
We have witnessed attacks that masquerade as the CFO, advising the personal assistant to transfer funds. These attacks are timely, often planned to coincide when an individual is out-of-the-office and uncontactable.
Why is Whale Phishing a High Risk Cyber Attack?
Whale Phishing presents a very real and dangerous threat, costing organizations millions of dollars in a single theft. Many high-profile organizations have fallen to Whale phishing, causing hundreds of thousands of dollars in lost funds.
The C-board typically have power, influence, and little time. A C-level member often does not have the time to stop and realise an attack is occurring making them potentially more suceptible to attack. In addition, any action they take on behalf of the attacker stands a greater likelihood of being successful, they have the access or ability to gain the required access.
Finally, employees will often react to direction from senior management without question. Blindly transferring funds, or vital information, believing the request is genuine.
The C-board typically have power, influence, and little time. A C-level member often does not have the time to stop and realise an attack is occurring making them potentially more suceptible to attack. In addition, any action they take on behalf of the attacker stands a greater likelihood of being successful, they have the access or ability to gain the required access.
Finally, employees will often react to direction from senior management without question. Blindly transferring funds, or vital information, believing the request is genuine.
Examples of Whale Phishing
Whale phishing is a very real threat, read here about how both a company and an employee fell victim to a Whale Phish: Employee who fell for £200k email scam feared she would lose her home
Unfortuntely this is not a unique tale, and one that is very common.
How Security Awareness and building a Strong Security Culture can Prevent Whale Phishing?
Phishing attacks the employee, using social engineering to ‘fool’ an individual and exploit poor processes. By having a strong security culture, one that is driven from the top down to all employees greatly reduces such types of attacks being successful. By using security awareness to raise the importance to remain vigilent and providing the necessary skills to spot and respond to cyberattacks, a business can reduce risk and not be burdened by overly expensive and invasive security defences.
Whale phishing is a well documented technique. Test your staff and processes to ensure your organisation is robust to such types of attacks. You can read more from the UK’s National Cyber Security Centre (NCSC) on Whale Phishing here: https://www.ncsc.gov.uk/guidance/whaling-how-it-works-and-what-your-organisation-can-do-about-it