What is a Whaling attack — and how to avoid them

Security lock with keyboard keys
(Image credit: FLY:D on Unsplash)

One of the most widely used methods cybercriminals use to scam unsuspecting victims online is phishing. From masquerading as trusted social media brands on emails (with LinkedIn currently being the most faked brand) to sending suspicious messages asking for your login credentials, threat actors cast a wide net in order to steal valuable information from unaware victims.

Anyone with an email is susceptible to a phishing attack, with some being more harmful than others by inserting a malicious email attachment infected with malware, ransomware, or even spyware. Fortunately, these fraudulent messages can be easy to spot if users keep a watchful eye over their inbox, as they can often be filled with typos or email addresses that don't match up to an official brand.

However, another form of phishing can be trickier to spot, and more effort is put into these messages to take advantage of specific targets — resulting in large-scale companies being compromised. This is known as whaling, but how is it different from phishing attacks, and how do you avoid them?

What is whaling?

Whaling attacks are a type of fraud cybercriminals use to trick specific people in organizations into sharing private information, with the aim of gaining access to their online accounts and stealing money. The key difference is the target these threat actors go for, which are usually senior roles in companies such as senior executives.

(Image credit: Unsplash / Sigmund)

Similar to phishing attacks, the attacker will send emails or messages to a specific target in an attempt to earn their trust and trick them into sharing personal information, showing confidential company information, or doing specific actions.  

Cybercriminals will do extensive research about a company in order to gain the trust of individuals. This can be anything from a recent event posted on social media or the CEO announcing a deal that is now publicly known. This is all to make an email sent more believable, and the cherry on top is who the threat actor impersonates.

Attackers will often pose as someone important or high-ranking in the organization, such as a CEO or even a manager. This gives the messages sent a sense of seniority, meaning staff under these positions are more likely to comply with actions stated in an email.

This is where the term "Whaling" comes into play, as threat actors will act as the "big phish" in order to trick specific individuals with financial or personal information about the company and its employees. It's a more sophisticated level of social engineering than the average phishing attack, and anyone in an organization should keep an eye out for suspicious emails. 

How to avoid whaling attacks

Whaling attacks aren't uncommon. As cybersecurity company Kaspersky points out, Snapchat was a target when a fake email was sent from the "CEO" asking for employee payroll information. What's more, toy company Mattel nearly lost $3 million after an attacker impersonated the new CEO and sent an email to a finance executive, asking for a money transfer.

While whaling tactics often target leading positions, anyone at a company could fall victim if they have the right information or contacts. However, there are still revealing signs that an email is fraudulent, no matter how convincing a message can be. 

(Image credit: Snappa)

One way to defend against whaling attacks is to check the email address and name. While these malicious emails can look convincing, often using official company logos and format, you can hover the cursor over a name to show the full email address. Compare this to a common company email address, keeping an eye out for random hyphens ("-"), underscores ("_"), additional ".co," or simple spelling mistakes in the company name or user name.

Another way is to check the message itself. If you weren't expecting to send information to this particular colleague, have never been contacted by them before, or if the message specifically asks for personal or financial information for unnecessary means, then be cautious before sending anything. Ask another colleague if the message asks for legitimate information.

Also, be aware of how the message is worded. There could be minor spelling errors or a difference in how the sender usually words their emails. What's more, they could reference a recent social event that was posted online or information that is known through your social media profiles such as a holiday or social event.

It can be tricky to spot a whaling email, especially when it comes from someone with an important title. However, IT departments will often have anti-phishing software in place to flag suspicious emails. If something doesn't seem right, it's a good idea to contact your company's IT department for further insight.

Whaling attacks are a nasty scam tactic, but there are other methods cybercriminals use to steal personal or financial information. To keep yourself protected, find out the difference between spyware and stalkerware

Darragh Murphy

Darragh Murphy is fascinated by all things bizarre, which usually leads to assorted coverage varying from washing machines designed for AirPods to the mischievous world of cyberattacks. Whether it's connecting Scar from The Lion King to two-factor authentication or turning his love for gadgets into a fabricated rap battle from 8 Mile, he believes there’s always a quirky spin to be made. With a Master’s degree in Magazine Journalism from The University of Sheffield, along with short stints at Kerrang! and Exposed Magazine, Darragh started his career writing about the tech industry at Time Out Dubai and ShortList Dubai, covering everything from the latest iPhone models and Huawei laptops to massive Esports events in the Middle East. Now, he can be found proudly diving into gaming, gadgets, and letting readers know the joys of docking stations for Laptop Mag.