Whale phishing, or whaling, is a special type of phishing attack that targets high-level corporate officers with fraudulent emails, text messages or phone calls. The messages are carefully written to manipulate the recipient into authorizing large payments to cybercriminals, or divulging sensitive or valuable corporate or personal information.
Whale phishing targets are C-level executives (CEOs, CFOs, COOs), other senior executives, political office holders and organizational leaders who can authorize large payments or wire transfers or the release of sensitive information without approval from others. These targets are referred to as whales after the slang term for customers (or gamblers) who have access to more money than the average person.
It’s important to understand how phishing, spear phishing and whale phishing are related—primarily because the terms are often used interchangeably, incorrectly or without context.
Phishing is any fraudulent email, text message or phone call designed to trick users into downloading malware (via a malicious link or file attachment), sharing sensitive information, sending money to criminals or taking other actions that expose themselves or their organizations to cybercrime.
Anyone with a computer or smartphone has received a bulk phishing attack—basically a form message that appears to be from a well-known business or organization, describes a common or credible situation and demands urgent action—e.g., Your credit card has been declined. Please click the link below to update your payment information. Recipients who click the link are taken to a malicious web site that might steal their credit card number or download malware to their computers.
A bulk phishing campaign is a numbers game: Attackers send messages to as many people as possible, knowing that some percentage will be tricked into taking the bait. One study detected over 255 million phishing messages during a six-month period in 2022 (link resides outside ibm.com). According to IBM’s Cost of a Data Breach 2022 report, phishing was the second most common cause of data breaches in 2022, and the most common method for delivering ransomware to victims.
Spear phishing is a phishing attack that targets a specific individual or group of individuals within an organization. Spear phishing attacks are typically launched against mid-level managers who can authorize payments or data transfers—accounts payable managers, human resources directors—by an attacker masquerading a coworker with authority over the target, or a colleague (e.g. vendor, business partner, advisor) the target trusts.
Spear phishing attacks are more personalized than bulk phishing attacks, and require more work and research. But the extra work can pay off for cybercriminals. For example, spear phishers stole more than USD 100 million from Facebook and Google between 2013 and 2015 by posing as legitimate vendors and tricking employees into paying fraudulent invoices (link resides outside ibm.com).
A whale phishing or whaling attack is a spear phishing attack aimed exclusively at a high-level executive or official. The attacker typically impersonates a peer within the target’s organization, or an equal or higher-level colleague or associate from another organization.
Whale phishing messages are highly personalized—attackers take great pains to impersonate the writing style of the actual sender and, when possible, reference context of ongoing actual business conversations. Whale phishing scammers will often spy on conversations between the sender and the target; many will try to hijack the sender’s actual email or text messaging account to send the attack message directly from there, for the ultimate in authenticity.
Because whaling attacks target individuals who can authorize larger payments, they offer the potential of a higher immediate payoff for the attacker.
Whaling is sometimes equated with business email compromise (BEC), another type of spear phishing attack in which the attacker sends the target fraudulent email that appears to come from a coworker or colleague. BEC is not always whaling (because it frequently targets lower-level employees), and whaling is not always BEC (because it doesn't always involve email), but many of the most costly whaling attacks also involve BEC attacks. For example:
Phishing, spear phishing and whale phishing are all examples of social engineering attacks—attacks that primarily exploit human vulnerabilities rather than technical vulnerabilities to compromise security. Because they leave much less digital evidence than malware or hacking, these attacks can be much more difficult for security teams and cybersecurity professionals to detect or prevent.
Most whaling attacks aim to steal large sums of money from an organization, by tricking a high-level official into making, authorizing or ordering a wire transfer to a fraudulent vendor or bank account. But whaling attacks can have other goals, including
Again, most whale phishing attacks are motivated by greed. But they can also be motivated by a personal vendetta against an executive or a company, competitive pressures, or social or political activism. Whaling attacks against high-ranking government officials can be acts of independent or state-sponsored cyberterrorism.
Cybercriminals choose a whale with access to their goal, and a sender with access to their whale. For example, a cybercriminal who wants to intercept payments to a company’s supply chain partner might send the company’s CFO an invoice and request for payment from the supply chain partner’s CEO. An attacker wanting to steal employee data might pose as the CFO and request payroll information from the VP of human resources.
To make the senders’ messages credible and convincing, whaling scammers thoroughly research their targets and senders, as well as the organizations where they work.
Thanks to the amount of sharing and conversation people conduct on social media and elsewhere online, scammers can find much of the information they need just by searching social media sites or the web. For example, by simply studying a potential target’s LinkedIn profile, an attacker can learn the person’s job title, responsibilities, company email address, department name, names and titles of coworkers and business partners, recently-attended events and business travel plans.
Depending on the target, mainstream, business and local media can provide additional information—e.g., rumored or completed deals, projects out for bid, projected building costs—that scammers can use. According to a report from industry analyst Omdia, hackers can craft a convincing spear phishing email after about 100 minutes of general Google searching (link resides outside ibm.com).
But when preparing for a whale phishing attack, scammers will often take the important extra step of hacking the target and sender to gather additional material. This can be as simple as infecting the target’s and sender’s computers with spyware that enables the scammer to view file contents for additional research. More ambitious scammers will hack into the sender’s network and gain access to the sender’s email or text messaging accounts, where they can observe and insert themselves into actual conversations.
When it’s time to strike, the scammer will send the attack message(s). The most effective whale phishing messages appear to fit within context of an ongoing conversation, include detailed references to a specific project or deal, present a credible situation (a social engineering tactic called pretexting) and make an equally credible request. For example, an attacker masquerading as the company CEO might send this message to the CFO:
Per our conversation yesterday, attached is an invoice from the lawyers handling the BizCo acquisition. Please pay by 5 p.m. ET tomorrow as specified in the contract. Thanks.
In this example, the attached invoice may be a copy of an invoice from the law firm, modified to direct payment to the scammer’s bank account.
To appear authentic to the target, whaling messages may incorporate multiple social engineering tactics including:
Whale phishing attacks—like all phishing attacks—are among the most difficult cyberattacks to combat, because they can’t always be identified by traditional (signature-based) cybersecurity tools. In many cases, the attacker need only get past ‘human’ security defenses. Whale phishing attacks are especially challenging because their targeted nature and personalized content make them even more convincing to the target or observers.
Still, there are steps organizations can take to help mitigate the impact of whale phishing, if not prevent these types of attacks altogether.
Security awareness training. Because whale phishing exploits human vulnerabilities, employee training is an important line of defense against these attacks. Anti-phishing training may include
Multi-factor and adaptive authentication. Implementing multi-factor authentication (requiring one or more credentials in addition to a username and password) and/or adaptive authentication (requiring additional credentials when users log in from different devices or locations) can prevent hackers from gaining access to a user’s email account, even if they are able to steal the user’s email password.
Security software. No single security tool can prevent whale phishing altogether, but several tools can play a role in preventing whale phishing attacks or minimizing the damage they cause:
Catch advanced threats that others simply miss. QRadar SIEM leverages analytics and AI to monitor threat intel, network and user behavior anomalies and to prioritize where immediate attention and remediation are needed.
IBM Trusteer Rapport helps financial institutions detect and prevent malware infections and phishing attacks by protecting their retail and business customers.
Secure endpoints from cyberattacks, detect anomalous behavior and remediate in near real time with this sophisticated yet easy-to-use endpoint detection and response (EDR) solution.
Read about the latest whale phishing trends and prevention techniques at Security Intelligence, the thought leadership blog hosted by IBM Security.
Ransomware is a form of malware that threatens to destroy or withhold the victim’s data or files unless a ransom is paid to the attacker to unencrypt and restore access to the data.
Now in its 17th year, this report shares the latest insights into the expanding threat landscape, and offers recommendations for saving time and limiting losses.
Cybersecurity threats are becoming more advanced and more persistent, and demanding more effort by security analysts to sift through countless alerts and incidents. IBM Security QRadar SIEM makes it easy to remediate threats faster while maintaining your bottom line. QRadar SIEM prioritizes high-fidelity alerts to help you catch threats that others simply miss.