Email Security Blog

What is Whaling Phishing & How Does it Work?

John Wilson September 29, 2021 Agari Products, Business Email Compromise, Email Security, Phishing, Uncategorized
whale underneath man in boat

“Whaling” phishing attacks target the C-suite of a company which creates high risk of extremely sensitive, mission-critical data being stolen and exposed. Fortunately, protecting the organization from these attacks is possible.

But what is Whaling phishing? Whaling phishing is a type of phishing attack targeting larger, high-value targets, which is why it’s called “Whaling.” Attackers themselves often pretend to be C-suite executives in emails to colleagues asking for personal or company information.

What Exactly is Phishing?

Phishing is when a bad actor pretends to be someone else through either email or text message in order to trick the recipient into leaking their information, or installing malware. These attacks in general have risen sharply over the years and are one of the biggest threats to network security.

Attackers impersonate well-known brands, and in the case of whaling, pretend to be a trusted leader inside an organization in order to trick recipients into clicking on malicious links or sending sensitive information.

Attackers use a number of different methods to hide their true identity when phishing. Some of those methods include:

  • Sending emails from a spoofed domain
  • Sending emails from a lookalike domain
  • Using stolen brand images in the email to convey trust
  • Using stolen email signatures to look legitimate
  • Hiding malicious embedded links inside innocent looking URLs
  • Using scare tactics and urgency to get recipients to act
  • Pretending to be a key figure within an organization to get recipients to act

While there are plenty of methods attackers use to phish unsuspecting victims, there are equally just as many strategies companies can use to implement phishing defenses.

Let’s take a look at the different types of phishing attacks, and how they compare to whaling.

Phishing vs. Whaling – What’s the Difference?

Simply put, whaling is a more targeted form of spear phishing that exploits the trust of recipients by pretending to be an authority figure within a company.

For example, attackers will pretend to be a C-level staff member in an organization, and use that authority to pressure employees and colleagues to take a specific action. These actions can range from sending over financial statements, clicking on fraudulent links, or even wiring money to unknown accounts.

Many phishing attacks are done indiscriminately and are sent to thousands of different people at once. Email scams are a numbers game, so attackers will send emails in bulk knowing only a small percent will fall for the scam.

Whaling, however, takes the complete opposite approach, and focuses on researching particularly lucrative targets like enterprise organizations. Attacks are well planned and often use scraped or stolen information in order to make the fake message appear more legitimate.

A common technique used by phishers is to pull names, email addresses and phone numbers from a company website. This helps the scammers understand the hierarchy of the organization and aids them in planning who they will impersonate.

To better understand how whaling differs from other forms of email attacks, let’s take a brief look at the different types of phishing attacks.

Email Phishing

Email phishing is the most common type of email scam, and is often what people refer to when they talk about phishing in general. It’s estimated that nearly half of all emails sent contain some sort of phishing attack.

These emails can vary in messaging but often pretend to be a legitimate company, or person an organization does business with often. Fake password resets, phony invoices and bogus shipping updates are among the most common types of email phishing attacks

Spear Phishing

Spear phishing focuses its attack on a single organization and uses research gathered online to impersonate companies or individuals that a company frequently does business with. Attackers can impersonate either a trusted third party, or someone that works inside of the target company.

These attacks will target single departments or individuals to try and compromise the company. Everything from the subject line, to the name of the sender can all be tailored and customized to be as familiar to the target as possible.

While email phishing may cast a wide net to try and catch many fish, spear phishing uses a single spear to target one very lucrative fish.

Smishing

Smishing is an attack that uses text messaging (SMS) in order to deliver a harmful message. These can be either targeted attacks or widespread phishing campaigns that attempt to trick users into clicking fake links and entering their information.

The most common forms of smishing are fake shipping updates, customer rewards, and, especially recently, messages impersonating the IRS regarding stimulus check updates.

Vishing

Vishing is when an attacker uses voice communications to steal information. These usually take the form of a voicemail message claiming that the recipient owes money, has been hacked, or is in legal trouble with the IRS. The goal of these scams is the same of every scam, to obtain information or funds illegally.

Vishing can also take place if a user calls a fake number. Malicious websites create fake pop ups claiming a computer has been hacked, and scaring the user into calling the ‘tech support’ number for assistance.

In reality the computer is not hacked, but after a phone call the fake tech support scammer will establish a remote connection and either infect the machine, or pretend to fix the problem in exchange for a fee.

Example of Whaling in Action

What does a Whaling attack look like? Let’s run a mock scenario.

After weeks of research, attackers have gathered information on ABC Company and are ready to begin their Whaling campaign.

They know the names and email addresses of the C-level staff members and are going to attempt to trick one of them into opening an attachment that will silently install spyware in the background.

This spyware will steal company secrets, financial information, and even assets that will aid in future whaling campaigns

Attackers register a fake domain that looks exactly like ABC Company. Instead of the real abccompany.com, they create abcconpany.com — a misspelling that is tough to spot.

They use that email address to impersonate the CEO, and send an email to the accountant. The message states that an invoice is overdue and urgently needs to be paid.

The attachment looks like a real PDF invoice, but is actually a payload that will install malware once opened.

To make matters worse the account numbers in the fake invoice are to the attacker’s company, meaning not only does the account install malware, but they also send money to the attacker.

Consequences of Whaling

Whaling can have a devastating impact on organizations of all sizes, as the attack focuses on stealing the most sensitive forms or data and financial information.

Unlike traditional phishing, highly valuable information such as tax returns and bank account numbers are targeted.

This can lead to fraudulent wire transfers, stolen identities, and even more coordinated follow-up attacks.

How Can I Defend Against Whaling?

Preventing phishing, or more specifically Whaling, is never as simple as installing a program. It takes a dedicated phishing response plan in order to remain protective and minimize the impacts of phishing attacks.

Here are a few steps you can take to prevent whaling:

Implement email rules that tag external emails as “outside of the organization.” This helps users know right away when an email is coming from outside the company. This capability is often part of a larger data loss prevention (DLP) solution, such as Clearswift.

Create policies and procedures for sensitive tasks such as wire transfers or sending financial information. Having someone approve these requests or use a secondary channel helps catch phishing attempts in action before it’s too late.

Implement phishing training across your organization. Staff training uses a combination of fake phishing emails along with customized training to measure how knowledgeable staff members are in email security.

Invest in professional defense. There are a lot of moving parts when it comes to defending against whaling attacks. Companies can partner with organizations like Agari to build a phishing defense plan that prevents these attacks from ever making it to the inbox.

How Do I Report a Phishing Attack?

If you’ve fallen victim to an email-based scam, or have been sent a phishing email, there are a few simple steps you can use to report it.

If you’ve received a phishing email, you can forward it directly to the FTC Anti-Phishing Working Group at reportphishing@apwg.org. If the message was a text message you can forward it to SPAM (7726).

You can then report the phishing attack by visiting http://ftc.gov/complaint.

The Agari Advantage

Agari offers a turnkey solution to prevent whaling attacks through automatic phishing response, remediation, and containment. The system utilizes both signature-based security as well as behavioral analysis to stop malicious files and bad actors at the same time.

If you’re looking to learn how to keep your business safe from whaling attacks, see how Agari Phishing Defense works in action.

Man perplexed looking at laptop computer

October 8, 2021 John Wilson

How to Prevent Business Email Compromise Attacks

How can you prevent business email attacks? Is training enough? We'll walk you through solutions…

Agari Blog Image

July 7, 2021 Chris Sestito

Catching Lookalike Domains with Image-Based Analysis

Reading is like riding a bicycle:  once you master it, it feels easy and automatic,…

Agari Blog Image

April 29, 2021 Brent Sleeper

Powerful New Agari Phishing Defense Integration Comes to Cortex XSOAR

As we expand our integrations with industry leaders, we’re very excited to highlight a new…

Agari Blog Image

April 28, 2021 Seth Knox

Frost Radar Names Agari as a Leader in Email Security

Three months ago, when I joined Agari as the Chief Marketing Officer, I knew that…

Agari Blog Image

April 20, 2021 Brent Sleeper

Newly-Enhanced Agari Splunk App Integrates Phishing Threat Data into Splunk SIEM Solutions

A newly-enhanced Agari App for Splunk integrates email threat data from both Agari Phishing Defense…

mobile image