Phishing #103

Whaling Attacks

December 9, 2020 11:21 am Published by

A whaling attack is not in stark contrast with that of a business email compromise or a BEC attack, the basic plot at the root of the attack is the same – a hacker tries to posit himself as a employee of the company to inflict monetary harm or otherwise on an organization. However, in a whaling attack, an attacker specifically masquerades as a senior executive of an organization in order to target other senior officials at the same organization hoping that they would divulge sensitive information, succumb to monetary losses or let hackers and cybercriminals gain access to the company IT infrastructure to cause further varied types of damages. Since whaling attackers mainly target top officials, it is also known as CEO fraud. Whaling’s successes have largely been dependent on effective social engineering – unlike in a basic phishing where individuals are targeted based on nothing specific, in whaling specific C-level executives are the victims, since fraudulent communications look like have been sent from people higher up the corporate ladder, employees rarely refuse to reply to mails sent with the intention of carrying out a whaling attack. Whaling bores resemblance with spear-phishing; it is in fact called whaling when cybercriminals try to spear-phish a senior official of a particular organization.

Consequences faced by an organization after a Whaling attack and Examples

One of the main reasons Whaling is widely feared among cyber security personnel around the world is because big companies reputed of having the tightest of cybersecurity protocols in place have found themselves falling prey to whaling attacks and as a result incurring significant financial loss as well as divulging crucial personal information about employees or on some occasion letting out data about essential company activities.

Financial loss

PhishLabs in their report of The 2016 Phishing Trends and Intelligence found that out of all the spearphishing attacks analyzed in 2015, 22% were done with the intention of financially defrauding a company or to commit crimes on similar lines. The patterns followed for this sort of whaling attacks are quite similar as well; often senior executives received emails from cybercriminals and attackers who present themselves as trusted suppliers, partners or members from within the organization itself. Executives replied to these emails oblivious to its fraudulent motive and inflicted heavy financial losses on the organization.

Leaking of crucial data

Often whaling attacks are done through emails which contain malicious links and attachments whose sole purpose is to infect the system of a chief executive, opening the path for further attacks and in the process weakening the cybersecurity put in place as well. This type of whaling attack is mainly done to extract vital information related to the customer of an organization or with the intention of carrying out intellectual property theft.

Blow to reputation of a company

Whaling attacks often result in a loss of reputation in the industry. FACC had to fire a number of their employees which included top officials and their CEO for their involvement in a whaling attack on them in 2016.


  1. In 2015, Ubiquiti Networks had fallen victim to a whaling attack, the losses of which amounted to $47 million dollars. The attackers in this particular instance coerced the finance department to make wire payments to a supplier claiming that a senior level executive was out of office and thus failing to handle the transaction in question. Subsequently, in the January of 2016 and in the August of 2016, FACC, Crelan Bank and Leoni AG reported whaling attacks where the losses incurred amounted to almost 54 million dollars, 76 million dollars and 40 million dollars respectively.

  2. One of the primary examples of a whaling attack, the incident known throughout the world of cybersecurity is that of the whaling attack on Snapchat that took place in 2016, where the payroll department had fallen prey to an email which was sent impersonating their CEO asking for the payroll information of employees. Consequently, the attack was reported to the FBI and employees who were the victims of such an attack received two years of free identity-theft insurance.

  3. In March of 2016, Seagate divulged income tax data of several employees falling prey to a bout of whaling attacks on them. A senior executive of Seagate completely oblivious to the fact that he is replying to a fraudulent source, responded to an email which requested the W-2 forms of all current and former employees. This attack left a number of employees susceptible and prone to income tax refund fraud and they are an eternal risk of suffering from identity-theft. This breach of security was subsequently reported to the IRS.

  4. In the year 2019, toy giant Mattel had to incur losses which approximately amounted to 3 million dollars. In this case, the attacker took a much direct approach. A senior level executive of the finance department was easily duped as he responded to an email which was seemingly sent by their CEO requesting a money transfer. This is yet another example of a high profile Whaling attack.

  5. One of the more creative examples of whaling attacks is on the number of executives across industries that had fallen victim to an attack that was brilliantly filled with accurate personal details about them. The email sender in this presented himself/herself to be United States District Court and pretended to send them a subpoena asking them to present themselves before a grand jury regarding a civil case. The email came with a link for the subpoena but it was actually malware sent disguised as the link to opening the subpoena, upon clicking the link the executive’s systems were infected severely with malware.

Methodology of a whaling attack

Whaling attacks of late have become incredibly sophisticated as attackers and cybercriminals have learnt to adapt themselves to the changing landscape of the cyber world. Attackers have taken it upon themselves to educate themselves and learn common business terminologies which they use in their emails to dupe a particular senior executive. This has made it immensely difficult for security personnel and senior executives to identify emails with malicious purposes, unlike much earlier when emails trying to carry out normal phishing attacks and emails with the purpose of carrying out whaling attacks looked more or less similar. The success of whaling attacks are dependent on the fact that emails used for the purpose of whaling are highly personalized and target select individuals ranked higher up the ladder in an organization whaling whom is bound to inflict significant damage if the whaling attempt is successful. The fact that Whaling comes with the prospect of gaining much more from a singular attack, attacker are not afraid to invest more time into crafting an attack, they gather data from various social media platforms viz. LinkedIn, Facebook, Twitter, Instagram, etc. This information is in turn used to personalize an email with the target’s company information, job details and minimal details about coworkers or business partners. Often, highly targeted content is mixed with numerous other methods adopted by attackers to increase the odds of a whaling attack succeeding.

Whaling emails via phone calls

The National Computer Security Centre or NCSC is under the knowledge of several instances where a whaling email was sent and immediately followed up by a phone call where they are confirming the email request. This method is being increasingly used by attackers or cybercriminals trying to carry out a whaling attack as this is an effective technique of social engineering that is often described cyber enabled fraud. This method has its own reason for being successful as the phone call not only verifies the email request sent but statistics point to the fact that real life interaction makes the victim far more complacent and mostly oblivious to the malicious intentions of the attacker.

Whaling emails where the attacker is posing as a trusted partner

There has been a massive spike in attacks where supplier or a partner’s network is attacked with the motive of gaining access to an organization’s IT infrastructure using the partner’s network as a gateway. This type of attacks is also known as supply chain attacks. Whaling attackers known for their creative approach often use information or data about an organization’s partner or supplier which are easily accessible to craft whaling email which will appear to be extremely credible, increasing the odds of an attacker carrying out a successful whaling attack.

Whaling emails from attackers masquerading as colleagues

In organizations and firms, it is often the case that employees don’t fall under the purview of top level cybersecurity as compared to other senior executives of the same organization, thus making them an easy target for cyberattacks. A certain technique of social engineering also works when it comes to employees as they promptly respond to emails which seemingly appear from senior officials within the company but are in fact from an attacker trying to defraud the organization. Email addresses of senior level executives are often spoofed and used to dupe employees into approving financial transactions or divulging crucial personal information or data about the organization.

Whaling via social media

ProofPoint have already published a report where they have reported that there was an increase of 150% in social media phishing attacks in 2015. The recent developments around social media are further proof that the information available on our social media accounts can be accessed by pretty much everyone. It is not going to be a herculean task for a cybercriminal to be privy to that information. Attackers use this data for various means of social engineering and to craft emails filled with various personal details giving their whaling attack a better chance of succeeding.

Security Solutions

Recent trends of whaling attacks suggest that attackers who want to carry out a whaling attack are becoming increasingly successful at evading automated means of defence against a cyber attack. At Prime Infoserv, we encourage the education of officials working with the organization at a senior executive level. To prevent whaling attacks, it is almost a necessity now that top officials learn how to differentiate between a legit email and a spoof email sent with malicious intent. Senior officials should be taught about the consequences of a whaling attack and should be trained so that they can familiarize themselves with the various facets of a whaling attack. At Prime Infoserv, we are of the opinion that senior executives should follow strict privacy restrictions on public domains so that attackers cannot gain access to their private details easily. It is of utmost importance that external emails i.e. emails received from outside the organization re flagged and that there is an established system of verification so that when financial transactions are requested through an email, it is subject to verification first. Prime Infoserv provides data loss solutions as it is viewed as a last resort to stop vital data from falling into the wrong hands during a whaling attack.

Tags: , , , , , , , , , , , , , , , , , , , , , ,

Categorised in: , , ,

This post was written by Prime Research Team

Comments are closed here.

WhatsApp WhatsApp us