Key Takeaways
- Whaling attacks cost enterprises around $1.8 billion every year. (hoxhunt)
- C-level executives report receiving a whaling attack every 24 days.
- Fake invoice scam that targeted both Google and Facebook is reported as the most expensive whaling attack, costing both companies over $100 million.
Introduction
Cybercrime doesn’t differentiate between individuals. It can happen to anyone, anytime. We have all heard about phishing attacks, where attackers deceive innocent people into clicking on malicious links and expose their sensitive information. It happens through text messages, emails, and phone calls. When such phishing targets high-profile individuals, like CEOs, CFOs, or top executives of organizations, it’s called a ‘Whaling Attack’. These attacks are carefully designed to deceive top-level executives into giving away sensitive information.
What is whaling in Cyber Security?
The term ‘Whaling’ is used to describe the high status of these targets because they have access to critical data and financial assets. Attackers make use of social engineering techniques to manipulate their victims into revealing confidential data or transferring funds. We’ll discuss more about how whaling attacks work, how to recognize their signs, and how to protect your organization’s leaders and assets.
How Whaling Attacks Happen
Whaling attacks are carried out by fooling the senior management of companies. Attackers do deep research before sending any email or text message. They use techniques like social engineering, email spoofing, and content spoofing to create convincing whaling emails.
They research the person they are impersonating and the person they want to deceive by exploring their social media and other sources. They could also use a phishing attack initially to get access to a lower-level employee’s computer. The next step is to access HR records to see who the key players in the company are and their email IDs.
Once they have the required information, they create a believable message. They may even engage in physical social engineering, which includes going to a coffee shop where the employees of that company usually go. The aim is to get as much information as they can about that one specific person or group of individuals.
Warning Signs of a Whaling Attempt
A whaling attack is hard to spot because attackers take time in research and then creating messages that would look legitimate. Here are some red flags that you should watch out for:
1. Suspicious sender address: Check the email address carefully because it may look correct at first glance, but it contains subtle differences. Attackers may replace the letter ‘m’ with ‘rn’ or the letter ‘w’ with ‘vv’.
2. Unusual requests: When you get sudden instructions to transfer funds or share login credentials, be very cautious. It’s not your colleague, but some imposter using a fake email account in his/her name.
3. Urgency or pressure: Fraud messages often create a sense of time pressure, or a warning related to negative outcomes, so that the victim takes quick action.
4. Tone and context mismatch: The writing style will not be that of your colleague, or the request will be completely different from what you usually expect from that sender.
Even the most careful leaders miss these clues when they are rushing through tasks. It’s important to pause and verify the credentials of the sender before taking any requested action.
Real Cases of Whaling Attacks
There have been many instances where CEO fraud emails have led to huge financial losses for organizations. Let’s discuss a few to give you a perspective on how dangerous these attacks are:
Levitas Capital:
An Australian hedge fund lost $8.1 million AUD after its co-founder clicked a fake Zoom invite. Malware sneaked into the company’s systems, giving hackers access to all the emails. Then, the hackers impersonated as Levitas executives to make fraudulent payments to their own accounts.
Natura & Co:
In 2021, a Brazilian cosmetics company lost around $14.6 million when an attacker impersonated as a senior-level executive and instructed the finance department to make transfers to a Hong Kong account.
Crelan Bank:
In 2016, a Belgian bank became a victim of a large-scale whaling attack. An attacker, posing as the bank’s CEO, tricked employees into transferring approximately $75 million to fraudulent accounts.
Why Top Executives Become Targets
C-level executives are the prime targets of whaling attacks because they have greater access to internal data and systems than average employees. An attacker would invest extra time and effort in obtaining the information of a top executive because the potential payoff is far greater.
Just imagine, impersonating a senior HR executive would give attackers the banking details of the entire company. Or a CFO falling for the attacker’s trick will result in the transfer of millions of dollars. These aren’t hypothetical scenarios. Cases like these have happened in the past and are most likely to happen in the future if organizations continue to ignore executive-level cyber threats.
How to Prevent Whaling Attacks
There are tools available to prevent whaling attacks, but I’d consider them the second line of defense. The first line of defense is the awareness among the employees, including C-level executives. Consistent security habits are crucial to the safety of an organization’s data and systems. Here are some practical steps that organizations can follow to prevent whaling attacks:
1. Use trusted email security tools: Start by enabling email filtering. There are specific domain authentication protocols like DKIM, DMARC, and SPF, which must be enabled. These will block spoofed messages from reaching the executives.
2. Train employees regularly: Conduct short and targeted awareness sessions for executives and finance teams. Some organizations also run simulated phishing drills to make everyone recognize suspicious emails and how to react to them.
3. Verify before acting: Confirm the identity of the sender through multiple methods before initiating any fund transfer or sharing credentials.
When these habits become a part of your organization, you will see a significant drop in successful whaling attacks.
What to Do After a Whaling Attack
Even after having the best security measures, a whaling attack can happen. Now what matters is how quickly you can respond and nullify the attack. Here are the steps you can follow in the event of a whaling attack:
1. Act Immediately: If there has been a fund transfer, contact your bank or payment provider to freeze or recall the transaction. Inform your IT/Security team right away so that they can contain the threat. Don’t delete the suspicious email, as it may be your most important evidence.
2. Secure Compromised Accounts: Change the passwords of all the accounts linked to this attack. Enable multi-factor authentication as well. Log out of the compromised accounts from all active devices. Check the email forwarding rules and unauthorized mailbox access.
3. Contain and Investigate the Incident: Identify the systems from where the attack took place, isolate all the affected systems to prevent further spread. Collect relevant data like sender details, timestamps, and message headers for deep analysis. Take the help of a professional cybersecurity team to trace the occurrence of the breach.
4. Notify Key Stakeholders: Inform all the key members of the organization so that a set plan of action can be followed. In case there was a data breach, follow the breach notification laws applicable in your region.
5. Review & Learn: Conduct a post-incident review to find out the security gaps in your systems. Implement tighter policies, especially in approval workflows or executive email security. Include the details of the attack and steps taken in the awareness training.
6. Strengthen your Security: Update your whaling prevention measures to prevent further attacks from happening. Reassure your employees and customers that appropriate action has been taken.
New Methods Attackers Are Using
Attackers are increasingly using Artificial Intelligence (AI) to make whaling attacks more convincing. Here are some of the new techniques they have adopted that are harder to spot:
1. Use of generative tools to copy the writing styles of C-level executives. The messages look natural, which reduces the obvious red flags.
2. Use of deepfake voice and video to clone the voice or appearance of a CEO or CFO.
3. Use of multiple channels, like email, SMS, and phone calls, for a coordinated attack. Some attackers even make a real-world attack to build trust and urgency.
4. Use of corporate chat platforms like Slack and Teams to impersonate colleagues or schedule ‘urgent’ meetings.
5. A whaling attack can also act as an entry point, allowing attackers to identify the loopholes in the system that they can exploit for greater damage.
Conclusion
Executive-level cyber threats are rising each year. Despite being time-consuming, whaling attacks are successful because attackers know they can steal millions of dollars or sensitive information worth millions. To stop these attacks, companies need to strengthen their security measures, enable multi-factor authentication (MFA), and conduct training programs to educate employees, including executives, about the new cyber threats. SafeAeon provides tools and training to prevent and stop whaling attacks. Get in touch with experts to know how to stay protected against whaling and other targeted attacks.
