Whaling phishing is a particularly crafty type of phishing attack where the cyber criminal goes after big game, usually someone with great financial means or reputation, with the end goal of stealing their money, their work or even their identity. In some cases, the cyber criminals behind whale phishing attacks might be out to destroy someone’s professional reputation, or to blackmail them. In other words, becoming the victim of a whaling attack is an experience we should all strive to avoid.
This article was written with the aim of teaching you everything you need to know about whaling phishing attacks – what they are, why they happen, how they happen, and most importantly how to prevent them, as well as how to deal with a whaling attack if you become the target of one.
If this sounds good to you, then keep on reading.
How and why phishing scammers attack
Anyone in possession of a mobile phone or an email account has probably been on the receiving end of a fair few phishing attacks. All phishing attacks have one thing in common: The cyber criminals perpetrating them are trying to get their victim to divulge their sensitive information – this could be login credentials, bank account numbers, social security numbers and other identifying data – all so that the criminals can abuse this data in order to hack into the victim’s bank accounts, social media accounts and so on.
Phishing scammers are usually after one thing: Money. But sometimes they can be after a victim’s social media accounts, email communications, or even their identity.
Email phishing is the original form of phishing, wherein the scammer makes contact with the intended victim via emails.
Some phishing emails are badly executed and easy to spot – for example, they may be rife with spelling mistakes and might come from a fake email address, while others are much more sophisticated, i.e. well written and using the right corporate logos of the organisation they pretend to represent.
In most scenarios, the scammer will attempt to pass themselves off as an authority figure in order to get their intended victim to comply with their demands. The scam email will use social engineering techniques to get the victim to act quickly and click on malicious links within the scam email. A malicious link will always be disguised as a legitimate request but will take the victim to a fraudulent website where they may put in sensitive data that the scammers can then take and use as they please.
The most common form of phishing attack is called wardialling. Here, the scammers send out thousands of automated voice communications to individual phone numbers that they have harvested, hoping to convince some of their potential victims to call them back and get on the line with them.
To entice the prospective victim to take immediate action by divulging their personal information as quickly as possible, the cyber criminal behind the automated voice recording might pretend to be a representative of a banking society, a government agency or some other trustworthy organisation or institution.
Spear phishing and whaling phishing attacks
Spear phishing attacks and whaling phishing attacks – now we are getting to the deeper, darker end of phishing.Of course, all phishing attacks serve malicious purposes, but spear phishing and whaling phishing are even more disturbing than standard phishing attacks because they target specific individuals, rather than take a scattergun approach.
Spear phishing and whale phishing attacks are variations over the same thing, namely pointed attacks wherein cyber criminals specifically profile and target chosen individuals, rather than blindly emailing or calling thousands of random people. Because wardialling calls and phishing emails are sent out to thousands of potential victims, they are often sloppily executed – they may, for example, contain spelling mistakes or obviously fake logos that make them easy to spot.
By contrast, spear phishing and whaling phishing attackers take their time to slowly gather the data they need to pull off a successful phishing scam. In other words, a spear phishing attack is always done with much more deliberation and care than a regular run-of-the-mill phishing attack, and it can build up over a shockingly long period of time. In some cases, cyber criminals may spend months or even years collecting your sensitive information in numerous ways until they are ready to strike.
Are you being profiled for a whaling attack at this very moment?
Whaling differs from other types of phishing because the attackers specifically identify lucrative targets to go after. If you are a senior executive at a large company or corporation, have your own successful business or are well known, you may be a prime target for a whaling campaign. In fact, malicious actors might be tracking and profiling your sensitive information at this very moment while preparing to launch a grand whale phishing attack on you.
Whaling scammers are usually much more experienced and skilled at what they do than regular phishing scammers. While they use many of the same methods to target you, they do it much more convincingly.
Whaling emails often target c level executives often contain personal information about the targeted individual or organization that an outsider is not likely to know. This gives the whaling emails an instant aura of credibility.
Much like other forms of phishing attacks, whaling emails seek to instil a sense of urgency to get the victim to act fast, without first stopping to think. Unlike regular phishing emails, however, whaling emails tend to be written with a thorough understanding of business jargon and inside knowledge, which makes them seem incredibly authentic.
New developments in whaling
Just a few short years ago, whaling emails were not much different or harder to spot than regular phishing emails. However, constant technological advances have not only benefited those of us who are trying to make an honest living or build a business, but also the bad actors who are now leveraging and abusing technology to launch sophisticated attacks on their victims.
Not only have whaling scammers become much more well-versed in business jargon, they have also gained the ability to spoof email addresses to make it seem like their email communications with you are coming from a legitimate and trustworthy source. More often than not, whaling attack emails will exploit existing or developing business contacts and relationships. A successful whaling attack will often combine cyber and non-cyber fraud techniques in order to lull the victim into a false state of trusting the attacker.k
One example of how such a whaling phishing attack can work is that the victim receives an email, which is then followed up by a phone call. The phone call serves the two-pronged purpose of confirming the fraudulent request put forth in the email and instilling a sense of trust in the intended victim. After all, if you have just had a professional conversation with someone on the phone, they are not a scammer – right?
Another form of whaling phishing attack that is on the rise is attacks on supply chains. A typical whaling attack on a supply chain involves the scammer gaining access to the target organisation’s sensitive information via another supplier or parter organization’s network. The scammer then constructs a string of email attacks, masquerading as a trusted partner organisation or partner.
Yet another form of whaling email attack makes it seem as though the victim is receiving emails from an existing and therefore trusted colleague or business partner. This form of whaling phishing attack is made possible when a spoofed email address is created, or when company employees’ real work email addresses are compromised, for example in a data leak.
Needless to say, an email containing an urgent request for you to submit missing payroll information or to make a wire transfer can seem very convincing when it appears to come from the finance department of the company or organisation you work for.
How to prevent whaling attacks
Whaling phishing attacks are the hardest phishing attacks to prevent. The cyber criminals behind whaling scams don’t shy away from exploiting existing trust structures and working relationships in order to get their victims to comply with their requests for information or wire transfers.
Fortunately, there are several things you can do to protect yourself, your business and your colleagues from becoming the victims of whaling attacks. It is important to note that prevention is much better than damage control, since whaling scammers and other phishing attackers can be very difficult for law enforcement to identify and track down.
- Get yourself a VPN. VPN stands for Virtual Private Network and signing up with a well-known and highly rated VPN provider is the only way to make sure your online activities are not being tracked and that your personal infiormartion is not being harvested by scammers who may be targeting you for a whaling attack. A VPN connection encrypts your personal indentifyable data every time you are browsing, emailing or doing anything online. Signing up with a reputabel VPN provider and installing a VPN on all of your devices should be your first priority if you do not already have a VPN. Our top recommended VPN providers are ExpressVPN, CyberGhost and NordVPN.
- Phishing awareness training and support. Whether you run an organization or work for yourself, you should learn as much as possible about phishing scammers and how they operate as possible. This will help you spot and prevent a whaling phishing attack in the making. If you have employees, host training workshops to teach them to be aware of potential whaling attacks.
Whaling phishing attacks FAQ
What is whaling phishing?
Whaling phishing is a form of phishing where an important or wealthy individual or organisation is the specific target.
Whaling attacks can be very sophisticated and elaborate, with the cyber criminals sometimes taking years to collect data, gather email addresses and prepare for the right moment to strike. What makes whaling attacks much harder to spot and to avert than other forms of phishing attacks is that they exploit existing working relationships and trust structures in order to get the victim to quickly comply.
What is whaling and spear phishing?
Whaling and spear phishing is when a phishing scammer targets a specific individual or organization, rather than taking a scattergun approach. Whaling phishing is the same as spear phishing, but where the proposed victim is being target for specific reasons, usually their bank balance.
What are 4 types of phishing?
Phishing attacks all use social engineering techniques to lure the intended victim to divulge personal information, and phishing can take several different forms.
The most common type of phishing is phishing emails, wherein a cyber criminal attempts to get you to click on links that will take you to fraudulent websites where you will be asked to enter your personal information and sensitive data, which may include your credit card details, your address and so on.
Another common form of phishing is wardialling, where the scammer sends out hundreds or even thousands of automated voice messages at once to random numbers they have collected. Just like the phishing emails, phishing phone calls and automated messages try to get the victim to disclose personal indentifying information that the scammer can then use and abuse as they see fit.
A related form of phishing is called smishing, and uses text messages instead of calls. Yet another type of phishing is malware phishing, where the scammer uses malware on the victim’s devices to harvest and steal their personal data.
Whaling attacks are no joke, but unfortunately, the reality that you or your business might get targeted in this way is part of the reality we live in.
While whaling attacks are much harder to prevent and to spot than the regular, run-of-the-mill phishing emails and smishing attempts most of us have encountered before, there are still things you can do to protect yourself, your colleagues and your business from falling victim to a whaling phishing scam.
The most important things you can do is to get a high quality VPN installed on all of your devices (And on any devices used within your business). A VPN encrypts your data so that no one is able to track and steal it. A VPN can also protect your device from getting infected with malware, which cyber criminals may plant on your device and use to steal sensitive information.