Blog/Expert Analysis/

What is whaling and how to prevent it

Jul 29, 2020

An ordinary day in the office. You get a friendly letter from your boss, asking to remind them a few passwords to the company's databases. The IT security team has just changed them, and your CEO forgot everything after yesterday's stressful meeting. You send the passwords, happy to help a colleague. And just like that, you've just become a victim of a whaling attack.

What is whaling?

Whaling is an attack where fraudsters pretend to be senior players within an organization and contact other high-level employees, such as CEOs, trying to trick them into giving away desired data or money. They reach out to employees by email or on social media. Reluctant to turn down a request from a trusted high-ranking colleague, the recipients usually fall victim to the attack.

To succeed, the scammers put a lot of effort into research. They analyze all the publicly available data about the targeted person or organization. Sometimes they dig even deeper and try to obtain private information by using social engineering or hacking techniques. This makes such attempts more difficult to avoid, as fraudsters know a lot of insider details, which helps them successfully masquerade as genuine staff members.

For example, a whaler may analyze the social media profile of the company's CEO. They might also identify the relevant colleagues, along with their job titles and responsibilities in the organization. Then the scammer will write a casual email requesting to send over some confidential data. They will include names of some colleagues and might mention a recent corporate celebration. All this will fully convince the victim to give away everything they ask.

Spear phishing and whaling

At first sight, it is hard to tell the difference between whaling and spear phishing, another phishing attack targeting specific individuals within an organization. But on closer inspection, whaling has a more personalized nature and narrow scope. While spear phishers do not necessarily reach out to senior persons, whalers aim exclusively at top-level employees, the largest fish within an organization. So, the target can be narrowed down to a single person.

How to identify a whaling attack

A whaling message will most likely have one of the following features:

  • A request to share some sensitive data or money;
  • An odd email address with misspelled names or domains;
  • A sense of urgency. Scammers usually claim that they need the information very quickly and that it is very urgent and vital. This way, they prompt you to act immediately and without too much thinking.

How to prevent a whaling attack

Here are a few tips on how to avoid becoming a whaling victim:

  • Do not post too much work-related info online, especially if it reveals insider details about your company or colleagues. If you use B2B social media networks such as LinkedIn, make sure that only your connections can see your full profile. We also suggest you do the same with all the other non-B2B social media profiles. Fraudsters use social channels a lot for their research, as people usually do not protect them properly, making them readily available sources of personal data;
  • Do not provide any corporate data which whalers could potentially use. The type of data may vary depending on the company and its activities. For example, it could be the personal details of your employees, the company's internal structure, staff responsibilities, etc. We suggest providing contact forms instead of employee email addresses for getting in touch. That way, scammers might not use them to contact their targets;
  • Do not befriend people you don't know on social networks. If someone looks suspicious, you can always ask them why they want to connect with you;
  • If an email sounds odd (e.g., a domain is slightly different or a name is misspelled), it is a red flag for a non-genuine sender;
  • Always contact your colleagues using some other means to clarify whether they tried to contact you;
  • Enable multi-factor authentication when initiating some important transactions or handling sensitive data. In this case, the whole process will not depend on a single person;
  • Use anti-phishing software, which would filter out suspicious emails;
  • Occasionally check the news on phishing and share it with others. Awareness is one of the best prevention tactics.
Elisa Armstrong

Elisa Armstrong

Verified author

Elisa’s all about languages. She speaks five, loves stand-up comedy, and is writing her first novel. Besides her extensive knowledge of cybersecurity, she’s an expert in persuasion techniques hackers use and strives to teach people how to avoid online scams.