Home Advice & How-ToGuides What is Whaling? How and Why Scammers Target Top Management
Home Advice & How-ToGuides What is Whaling? How and Why Scammers Target Top Management

What is Whaling? How and Why Scammers Target Top Management

by Fred Decker
515 views

When someone talks about “fishing,” what image does that conjure up in your mind?  For some of us, it’ll be a memory of pulling crappies out of a pond as a kid.  For others it might mean a vacation spent on a chartered boat, trying to land a trophy tarpon or sailfish.  Reality TV viewers might think first of commercial crews competing to land high-value catches of tuna or king crab.  They’re very different, but they’re all forms of fishing. 

There’s a similar variation when you turn from fishing to phishing.  Some phishing campaigns are very low-stakes, low-budget operations.  Others aim for high-value catches, such as a company’s senior executives or those in less visible positions of responsibility.  Those are referred to as “whaling” attacks (because they’re going after the really big fish), and if you’re in a senior position within your company you may be a target. Here’s what you need to know about the threat.

What is Whaling? 

Most of us (especially regular readers of this blog) are familiar with ordinary kinds of phishing.  They may come in the form of an email, a text (SMS phishing, or “smishing”), a social media message, or even a phone call or voicemail (voice phishing, or “vishing”).  No matter how you receive the message, its goal is to coax you into clicking a link (or calling a specific number) which will expose you to whatever scam the phisher is running. 

Spokeo logo

Who's Calling Me?

Search any phone number to learn more about the owner!

Regular phishing messages aren’t targeted.  They go out to large numbers of people, and will cheerfully pillage anyone they can (to continue the metaphor, they “cast a wide net”).  Some phishing campaigns take a different tack, dialing in on specific individual targets.  They draw on information sources like past data breaches, or the target’s own non-private posts on social media, and then use that information to craft messages that are likely to make the target click through. 

“Whaling phishing” — just whaling, for short — takes the spearphishing idea one step further by consciously targeting high-value targets.  These might be celebrities, political leaders, C-suite executives, those with sensitive government positions, or even those unknown but crucial people within an organization who keep the wheels turning.  It’s a serious threat because its targets — due to their seniority and responsibilities — can be leveraged to pull off really big scores.  

You could think of it as the business-centric counterpart to the so-called “pig-butchering” scams that target affluent individuals. 

What Wailing Attacks Are Trying to Achieve

The ordinary kind of phishing attacks generally have two goals: your personally identifying information (PII), or your money.  Those apply to whaling attacks too, except that companies accumulate a lot of PII and money.  Even a relatively small company might hold information on tens of thousands of users, for example, and generate millions in revenue. 

But targeting companies (or celebrities, politicians, government functionaries, or well-connected non-profits) offers criminals and hackers scope for a lot of mischief above and beyond those starting points.  A few examples include: 

Supply-Chain Attacks

The biggest targets in business and government are (generally) the best-defended, but criminals don’t have to attack them directly.  They can target the relatively small “blue-collar” companies that make software or sub-assemblies used by larger companies, and use those to infiltrate a larger company or introduce vulnerabilities into their product. 

Targeting Infrastructure

Hacker groups backed by hostile nation-states can use similar strategies to target vulnerable infrastructure across the country, from water purification plants to the electrical grid. 

Inserting Malware, Ransomware, or “Backdoor” Code

The high-level personnel targeted by whalers often have high-level network or administrative privileges, by the nature of their work.  If an attack compromises someone with that kind of clearance, the attackers can use it to covertly install malware or ransomware onto the system, allowing for a really big payday. 

Alternatively — depending on their motivations — they could install a specialized form of malware called a backdoor which, as the name suggests, gives them ongoing access to the system.  It’s the software equivalent of those “sleeper cells” of spies or saboteurs you see so often in movies and novels. 

Gathering Intelligence

If you’re in government, the military, or work for a defense contractor or sub-contractor, this can mean direct espionage.  For companies, it can mean losing crucial proprietary data to domestic or overseas competitors.  On a more fundamental level, it can simply mean that you are one of the “little fish” connected to a scammer’s targeted whale.  By fooling you and others like you, the criminals or hackers can gain enough information to zero in on their real target. 

hacker executing harpooning whaling attack

Whaling vs “Harpooning”

A whaling attack is — broadly speaking — the top tier of phishing, but that last point is why we’ve also seen a further refinement of what’s already a significant threat.  It’s called harpooning, and it’s an especially refined, resource-intensive attack. 

The criminals or hackers, in this case, spend a lot of time and effort on everyone and everything that can help them dial in on their chosen target.  That can include their personal social media posts (and those of all their friends and family members); their LinkedIn contacts, and of course everyone they communicate with inside and outside of their own company.  They may even create a fake persona and communicate directly with the target (or someone “target-adjacent”) as a catfisher or romance scammer would. 

They’ll use all of this information to compile a detailed picture of their target: hobbies, interests, activities, politics, and even mundane things like the music they listen to and restaurants they visit.  Most importantly, if they can, they’ll try to phish one or more people who regularly exchange emails with the target so they can get a feel for both parties’ use of language.  It’s tedious and time-intensive but the attackers’ payoff can be huge, whether it comes in the form of a conventional scam, a big-dollar ransomware event, or a treasure trove of data. 

How to Know if You’re the Target of a Whaling Attack

Up to this point you may be thinking that your company, and you yourself, are too small-scale and obscure to be worth targeting. That may be the case, but it’s an awfully flimsy shield to rely on.  As we’ve mentioned before, even small companies amass larger quantities of money and personal information than most individuals, which makes them worthwhile targets. 

More importantly, small companies are interconnected with larger ones.  You may not consider your own company to be worth a scammer’s time, but what about your clients? Or your vendors?  That’s especially true for companies providing widely used software services or security products, because successfully infiltrating your company potentially unlocks everyone using your software or security product. 

The one thing about whaling attacks that used to limit their scope was their very sophistication: it took a lot of time and skill to do the research, and craft phishing messages that could realistically mimic the writing style of individual targets.  The rise of sophisticated new AI models has taken away even that limitation, making it possible to carry out this kind of sophisticated phishing attack on a massive scale.  It’s now as easy as churning out those mass phishing messages we’re all accustomed to, and that’s a game-changer

Protecting Yourself From Whaling Attacks is Hard

We’ve written a lot about protecting yourself from phishing attacks, and our usual advice remains sound as far as it goes: don’t click on links, don’t download attachments, scrutinize the return email addresses for signs that they’re not legitimate, and so on.  You can also still use Spokeo’s name, phone, or email lookup tools to verify that a given person on your contacts list is really who they say they are (your vendors’ employees have LinkedIn accounts too, so they’re easy for scammers to find and impersonate). 

Unfortunately, that kind of self-defense isn’t always helpful when you’re dealing with whaling attacks.  That’s partly because a great deal of your normal interaction with your coworkers and superiors will include sending and receiving links or attachments.  Getting just one more report or attached invoice from someone who sends them to you all the time isn’t going to raise any alarms, and verbally confirming every single email is utterly impractical. 

Of course, you’re not facing this problem alone, and you get a lot of help — in various ways — from your IT team and your software vendors.  To cite just a few examples: 

  • Your email provider will automatically screen for emails coming from locations (IP addresses) known to host a lot of scammers and criminal activity. They’ll also check attachments for known viruses, and filter out certain kinds of attachments entirely. Most also check for phrases commonly used by scammers.
  • Some security providers will actively check the URLs of any links in your emails. If they’re newly registered (often a sign that it’s a bogus site), that triggers a warning. 
  • Your phone provider will screen out calls of dubious origin, or flag them as problematic in order to give you a heads-up. 
  • Many of your vendors or clients may require an additional level of authentication before granting access to especially sensitive information, processes, or core network services.  This may be in the form of a one-time code, a separate authentication app, some form of biometric identification (your voice, a fingerprint, facial recognition), or even a physical key.  This is called multi-factor authentication (MFA) or two-factor authentication (2FA). 

Unfortunately, none of these is entirely bulletproof. Phone numbers can be “spoofed,” making it appear as if they’re coming from a legitimate number when they actually aren’t.  Email can be spoofed too, but email screening tools won’t work if — to quote the horror movie cliche — “the call is coming from inside the house.”  If scammers have successfully phished the credentials of someone you correspond with, the email will actually come from their legitimate account.  This is called “business email compromise,” or BEC, and it’s a big criminal specialty in its own right. 

Similarly, security services that check whether a site is newly registered won’t catch them if the link is sent out immediately after the registration (it takes a while for them to be processed and put in the registry database).  Also, most forms of MFA can be circumvented by a really well-resourced attacker.  Both of those things happened in one damaging 2022 attack against security-services providers Twilio and Cloudflare (unsuccessfully, in the latter case). 

Ultimately your best option is to adopt the preppers’ slogan that “it’s not if, it’s when,” and structure your organization’s IT and operations in ways that will harden you against attacks and minimize the damage when it occurs.

two coworkers protecting against whaling attack

How to Protect Against Whaling

Playing whack-a-mole with security threats as they arise is a losing game, and it’s especially true of whaling attacks.

So the trick is to build your systems, and your operating procedures, in ways that make it innately more difficult for attackers to get in or to roam freely once they do. This is a book-length topic in its own right, but there are a few key points to focus on: 

Zero-Trust Architecture

Most companies’ IT systems are structured around the idea that there are insiders who are trusted, and outsiders who are not.  Unfortunately, that kind of defensive perimeter has not historically worked very well (think of China’s Great Wall, or more recently the Maginot Line).  Similarly, once a phishing attack nets a legitimate set of credentials, the barbarians, so to speak, are inside the gate and are free to pillage as they choose. 

One way to protect against that is through what’s called a “zero-trust” architecture. Under this system, there are no insiders or outsiders.  Nobody has access until they’ve been verified, every single time (picture those movies where you need to swipe a card or scan your palm to open a door).  It’s easier to build your systems on a zero-trust basis from the ground up — something to think about if you’re just growing into in-house IT — but you can revamp your existing systems around zero-trust as well. 

More-Effective MFA

One of the unsettling things about the attack on Twilio and Cloudflare was the deftness shown by the attackers in sidestepping defenses like domain-checking (against bogus sites) and multi-factor authentication.  The most common forms of authentication use a one-time code, sent by text, email, push notification, or authentication app, and all of those can be intercepted or wheedled from a victim by the attackers.  Biometric authentication methods (fingerprint, face recognition, voice recognition) can all be faked as well, especially with the aid of AI tools. 

The most effective authentication method is physical keys, which can’t readily be faked.  These can take the form of a physical pass, a USB key, or even through the new “passkey” technology on a specific external device, like your work phone. The main reason attackers were able to breach Twilio but not Cloudflare is simply that Cloudflare used hardware keys for authentication. 

Building Your Business Processes From a Security-First Perspective

Food manufacturers have a process for evaluating potential risks that might lead to contamination or foodborne illness, and designing processes to nip those risks in the bud (it’s called HACCP, if you’re curious).  The equivalent process, in security terms, would mean giving careful thought to your routine practices, how they might be exploited by whalers, and tweaking those processes in ways that make them more secure. 

In many cases, for example, a whaling attack results in someone sending a large sum of money or a substantial quantity of data to the scammers.  As with any other scam, there’s pressure to act immediately, even (especially!) if doing so is outside of normal procedures.  You might change your policies, then, so that transfers of that sort require not one but two peoples’ authorization.  Any one person can fall for a scam at any time, but it’s exponentially harder to simultaneously trick two people into falling for it at the same time. 

Similarly, this is a high-impact use case for that improved MFA we spoke of a moment ago.  It’s relatively straightforward to require secondary authentication before permitting whichever actions you designate as being sensitive. 

Protection is a Journey, Not a Destination

This barely scratches the surface of the topic, of course.  It’s intended to be a discussion starter between you and the IT department (or maybe between you and management, if you are the IT department) or between you and your IT services provider, if you don’t manage your own IT services department. 

There’s plenty here to dig into, and lots of consultants and providers to help guide you along the way (it’s also easier for an outsider to remind executives that yes, the rules do apply to them!).  There’s also still a place for traditional responses like phishing awareness training for your staff, and periodic checks to make sure your staff are dealing with potential phishing messages the way you’ve trained them to. 

Finally, it’s important to remember that protection isn’t a box you check on your clipboard, but an ongoing process that will constantly evolve.  Criminals will never stop innovating in their attempts to break in, so you’ll need to keep on top of your game in order to fend them off. It’s an ongoing struggle, but criminals inevitably gravitate to the easy target.  Making your organization a harder target goes a long way in and of itself toward keeping you out of trouble.