What is Whaling Phishing?

October 6, 2022

Bigger phish in the sea

Whaling attacks are becoming more commonplace since the payoff is generally higher. These attacks target senior executives or a “big fish” to access online accounts and steal money.

The attackers take time to get to know your company, researching key staff members through social media, public announcements, and your website. They pose as someone within your organization to trick your employees into making online payments that seem like routine requests or stealing login credentials or other sensitive information. A perfect example of whale phishing is when an employee at Mattel took the bait and made a fraudulent $3M wire transfer.

Different types of phishing

In addition to whaling, there are five other types of phishing, each a targeted attempt to gain access to your systems:

• Email phishing – the most common form of phishing, using phony hyperlinks to lure your employees into sharing personal information used for further attacks.
• Malware phishing – involves planting malware to infect or paralyze your IT systems. Typically, attackers disguise the malware as a trustworthy attachment.
• Spear phishing – just like whaling, it targets specific employees with information gathered through research and social media. These attacks are usually highly customized and are particularly effective at bypassing essential cybersecurity.

• Smishing – comes from a combination of the works “SMS” and “phishing,” which involves sending text messages disguised as trustworthy communication, usually coming across as more personal.
• Vishing – attackers in fraudulent call centers attempt to trick your employees into providing sensitive information over the phone to dupe victims into installing malware onto their devices as an application.

Six steps you can take to avoid whaling

Like all phishing campaigns, there are telltale signs of a whaling attempt.

1. Check the email address and name – since whaling attacks are more sophisticated, the malicious emails will look convincing, often using company logos and formats. Hover the cursor over the name to show the full email address looking for random hyphens, underscores, and simple spelling mistakes.
2. Read the salutation – if the greeting is addressed to a “valued customer” and not directly to you, it is probably a fake.
3. Double check the message itself – if you usually don’t send confidential or financial information to a particular colleague, call or text the colleague to confirm or check with a company executive to confirm legitimacy.
4. Check the message wording – note any spelling errors or a difference in context in how the sender usually words their emails. If the email mentions a social event or recent interaction with one of your executives, was the event on social media, did your executive recently speak at a conference, or is the event commonly known (annual holiday party or supporting a community cause)? Another telltale sign is if the email preys upon your fears, such as legal action or being the subject of reputational harm.   
5. Review the signature – check for contact information in the signature, and if in doubt, reach out to the person. Legitimate senders always include details.
6. Verify, verify, verify – spotting a whaling email can be tricky, and often your employees may be wary of “bothering” an executive. Make sure you let your employees know if they are in doubt, they can always contact your IT department to confirm the email legitimacy.

Enforce Phishing Training

Consistent phishing training and awareness go a long way to preventing whaling or other types of phishing. Dewpoint partners with KnowBe4, an industry leader in phishing simulations, to help reduce your organization’s vulnerability and change end-user behavior through testing and training. For advice on making your organization more CyberSmart, contact us to talk to one of our cybersecurity experts.