Regular phishing messages aren\u2019t targeted.\u00a0 They go out to large numbers of people, and will cheerfully pillage anyone they can (to continue the metaphor, they \u201ccast a wide net\u201d).\u00a0 Some phishing campaigns take a different tack, dialing in on specific individual targets.\u00a0 They draw on information sources like past data breaches, or the target\u2019s own non-private posts on social media<\/a>, and then use that information to craft messages that are likely to make the target click through.\u00a0<\/p>\n\n\n\n \u201cWhaling phishing\u201d \u2014 just whaling, for short \u2014 takes the spearphishing idea one step further by consciously targeting high-value targets. These might be celebrities, political leaders, C-suite executives, those with sensitive government positions, or even those unknown but crucial people within an organization who keep the wheels turning. It\u2019s a serious threat because its targets \u2014 due to their seniority and responsibilities \u2014 can be leveraged to pull off really big scores. <\/p>\n\n\n\n You could think of it as the business-centric counterpart to the so-called \u201cpig-butchering<\/a>\u201d scams that target affluent individuals.\u00a0<\/p>\n\n\n\n The ordinary kind of phishing attacks generally have two goals: your personally identifying information (PII), or your money. Those apply to whaling attacks too, except that companies accumulate a lot<\/em> of PII and money. Even a relatively small company might hold information on tens of thousands of users, for example, and generate millions in revenue. <\/p>\n\n\n\n But targeting companies (or celebrities, politicians, government functionaries, or well-connected non-profits) offers criminals and hackers scope for a lot of mischief above and beyond those starting points. A few examples include: <\/p>\n\n\n\n The biggest targets in business and government are (generally) the best-defended, but criminals don\u2019t have to attack them directly. They can target the relatively small \u201cblue-collar\u201d companies that make software or sub-assemblies used by larger companies, and use those to infiltrate a larger company or introduce vulnerabilities into their product. <\/p>\n\n\n\n Hacker groups backed by hostile nation-states can use similar strategies to target vulnerable infrastructure across the country, from water purification plants to the electrical grid.\u00a0<\/p>\n\n\n\n The high-level personnel targeted by whalers often have high-level network or administrative privileges, by the nature of their work. If an attack compromises someone with that kind of clearance, the attackers can use it to covertly install malware or ransomware onto the system, allowing for a really big payday. <\/p>\n\n\n\n Alternatively \u2014 depending on their motivations \u2014 they could install a specialized form of malware called a backdoor<\/em> which, as the name suggests, gives them ongoing access to the system. It\u2019s the software equivalent of those \u201csleeper cells\u201d of spies or saboteurs you see so often in movies and novels. <\/p>\n\n\n\n If you\u2019re in government, the military, or work for a defense contractor or sub-contractor, this can mean direct espionage. For companies, it can mean losing crucial proprietary data to domestic or overseas competitors. On a more fundamental level, it can simply mean that you are one of the \u201clittle fish\u201d connected to a scammer\u2019s targeted whale. By fooling you and others like you, the criminals or hackers can gain enough information to zero in on their real target. <\/p>\n\n\n\n A whaling attack is \u2014 broadly speaking \u2014 the top tier of phishing, but that last point is why we\u2019ve also seen a further refinement of what\u2019s already a significant threat. It\u2019s called harpooning<\/em>, and it\u2019s an especially refined, resource-intensive attack. <\/p>\n\n\n\n The criminals or hackers, in this case, spend a lot of time and effort on everyone and everything that can help them dial in on their chosen target.\u00a0 That can include their personal social media posts (and those of all their friends and family members); their LinkedIn contacts, and of course everyone they communicate with inside and outside of their own company.\u00a0 They may even create a fake persona and communicate directly with the target (or someone \u201ctarget-adjacent\u201d) as a catfisher<\/a> or romance scammer<\/a> would.\u00a0<\/p>\n\n\n\n They\u2019ll use all of this information to compile a detailed picture of their target: hobbies, interests, activities, politics, and even mundane things like the music they listen to and restaurants they visit.\u00a0 Most importantly, if they can, they\u2019ll try to phish one or more people who regularly exchange emails with the target so they can get a feel for both parties\u2019 use of language.\u00a0 It\u2019s tedious and time-intensive but the attackers\u2019 payoff can be huge, whether it comes in the form of a conventional scam, a big-dollar ransomware event, or a treasure trove of data.\u00a0<\/p>\n\n\n\n Up to this point you may be thinking that your company, and you yourself, are too small-scale and obscure to be worth targeting. That may be the case, but it\u2019s an awfully flimsy shield to rely on. As we\u2019ve mentioned before, even small companies amass larger quantities of money and personal information than most individuals, which makes them worthwhile targets. <\/p>\n\n\n\n More importantly, small companies are interconnected with larger ones. You may not consider your own company to be worth a scammer\u2019s time, but what about your clients? Or your vendors? That\u2019s especially true for companies providing widely used software services or security products, because successfully infiltrating your company potentially unlocks everyone using your software or security product. <\/p>\n\n\n\n The one thing about whaling attacks that used to limit their scope was their very sophistication: it took a lot of time and skill to do the research, and craft phishing messages that could realistically mimic the writing style of individual targets.\u00a0 The rise of sophisticated new AI models has taken away even that limitation, making it possible to carry out this kind of sophisticated phishing attack on a massive scale<\/a>.\u00a0 It\u2019s now as easy as churning out those mass phishing messages we\u2019re all accustomed to, and that\u2019s a game-changer<\/a>.\u00a0<\/p>\n\n\n\n We\u2019ve written a lot about protecting yourself from phishing attacks, and our usual advice remains sound as far as it goes: don\u2019t click on links, don\u2019t download attachments, scrutinize the return email addresses for signs that they\u2019re not legitimate, and so on.\u00a0 You can also still use Spokeo\u2019s name<\/a>, phone<\/a>, or email lookup tools<\/a> to verify that a given person on your contacts list is really who they say they are (your vendors\u2019 employees have LinkedIn accounts too, so they\u2019re easy for scammers to find and impersonate).\u00a0<\/p>\n\n\n\n Unfortunately, that kind of self-defense isn\u2019t always helpful when you\u2019re dealing with whaling attacks. That\u2019s partly because a great deal of your normal interaction with your coworkers and superiors will include sending and receiving links or attachments. Getting just one more report or attached invoice from someone who sends them to you all the time isn\u2019t going to raise any alarms, and verbally confirming every single email is utterly impractical. <\/p>\n\n\n\n Of course, you\u2019re not facing this problem alone, and you get a lot of help \u2014 in various ways \u2014 from your IT team and your software vendors. To cite just a few examples: <\/p>\n\n\n\n Unfortunately, none of these is entirely bulletproof. Phone numbers can be \u201cs<\/a>poofed,\u201d making it appear as if they\u2019re coming from a legitimate number when they actually aren\u2019t.\u00a0 Email can be spoofed too, but email screening tools won\u2019t work if \u2014 to quote the horror movie cliche \u2014 \u201cthe call is coming from inside the house.\u201d\u00a0 If scammers have successfully phished the credentials of someone you correspond with, the email will actually come from their legitimate account.\u00a0 This is called \u201cbusiness email compromise,\u201d or BEC, and it\u2019s a big criminal specialty in its own right.\u00a0<\/p>\n\n\n\n Similarly, security services that check whether a site is newly registered won\u2019t catch them if the link is sent out immediately after the registration (it takes a while for them to be processed and put in the registry database).\u00a0 Also, most forms of MFA can be circumvented by a really well-resourced attacker.\u00a0 Both of those things happened in one damaging 2022 attack against security-services providers Twilio and Cloudflare<\/a> (unsuccessfully, in the latter case).\u00a0<\/p>\n\n\n\n Ultimately your best option is to adopt the preppers\u2019 slogan that \u201cit\u2019s not if, it\u2019s when,\u201d and structure your organization\u2019s IT and operations in ways that will harden you against attacks and minimize the damage when it occurs.<\/p>\n\n\n\n Playing whack-a-mole with security threats as they arise is a losing game, and it\u2019s especially true of whaling attacks.<\/p>\n\n\n\n So the trick is to build your systems, and your operating procedures, in ways that make it innately more difficult for attackers to get in or to roam freely once they do. This is a book-length topic in its own right, but there are a few key points to focus on: <\/p>\n\n\n\n Most companies\u2019 IT systems are structured around the idea that there are insiders who are trusted, and outsiders who are not. Unfortunately, that kind of defensive perimeter has not historically worked very well (think of China\u2019s Great Wall, or more recently the Maginot Line). Similarly, once a phishing attack nets a legitimate set of credentials, the barbarians, so to speak, are inside the gate and are free to pillage as they choose. <\/p>\n\n\n\n One way to protect against that is through what\u2019s called a \u201czero-trust\u201d <\/a>architecture. Under this system, there are no insiders or outsiders.\u00a0 Nobody<\/em> has access until they\u2019ve been verified, every single time (picture those movies where you need to swipe a card or scan your palm to open a door).\u00a0 It\u2019s easier to build your systems on a zero-trust basis from the ground up \u2014 something to think about if you\u2019re just growing into in-house IT \u2014 but you can revamp your existing systems around zero-trust as well.\u00a0<\/p>\n\n\n\n One of the unsettling things about the attack on Twilio and Cloudflare was the deftness shown by the attackers in sidestepping defenses like domain-checking (against bogus sites) and multi-factor authentication. The most common forms of authentication use a one-time code, sent by text, email, push notification, or authentication app, and all of those can be intercepted or wheedled from a victim by the attackers. Biometric authentication methods (fingerprint, face recognition, voice recognition) can all be faked as well, especially with the aid of AI tools. <\/p>\n\n\n\n The most effective authentication method is physical keys, which can\u2019t readily be faked.\u00a0 These can take the form of a physical pass, a USB key, or even through the new \u201cpasskey\u201d technology<\/a> on a specific external device, like your work phone. The main reason attackers were able to breach Twilio but not Cloudflare is simply that Cloudflare used hardware keys for authentication.\u00a0<\/p>\n\n\n\nWhat Wailing Attacks Are Trying to Achieve<\/h2>\n\n\n\n
Supply-Chain Attacks<\/h3>\n\n\n\n
Targeting Infrastructure<\/h3>\n\n\n\n
Inserting Malware, Ransomware, or \u201cBackdoor\u201d Code<\/h3>\n\n\n\n
Gathering Intelligence<\/h3>\n\n\n\n
![\"hacker](\"https:\/\/i0.wp.com\/www.spokeo.com\/compass\/image\/towfiqu-barbhuiya-em5w9_xj3uU-unsplash.jpg?resize=1024%2C683&ssl=1\")
<\/figure>\n\n\n\nWhaling vs \u201cHarpooning\u201d<\/h2>\n\n\n\n
How to Know if You\u2019re the Target of a Whaling Attack<\/h2>\n\n\n\n
Protecting Yourself From Whaling Attacks is Hard<\/h2>\n\n\n\n
\n
![\"two](\"https:\/\/i0.wp.com\/www.spokeo.com\/compass\/image\/christina-wocintechchat-com-SxQkvBfajHc-unsplash.jpg?resize=1024%2C684&ssl=1\")
<\/figure>\n\n\n\nHow to Protect Against Whaling<\/h2>\n\n\n\n
Zero-Trust Architecture<\/h3>\n\n\n\n
More-Effective MFA<\/h3>\n\n\n\n
Building Your Business Processes From a Security-First Perspective<\/h3>\n\n\n\n