Whale Phishing: What Is a Whaling Attack?

Javed Shah

Whale phishing attacks can deplete an organization of millions and destroy reputations. Is your company protected from these attacks?

What is whale phishing? Whale phishing is a spear phishing attack that targets senior executives by sending fraudulent emails or calls that encourage the recipient to take action. These actions usually lead to the hacker receiving sensitive data, money, or network access.

What Is Phishing?

Phishing is a form of social engineering where a hacker uses some form of communication, whether an email, SMS message, website, or something similar, to trick users into turning over credentials or information. This information is typically used to allow the hacker access into critical systems.

There are several channels through which phishing attacks can occur:

  • Email: One of the most common forms of phishing is via email. A hacker will send an email message that either presents itself as coming from someone inside the organization or as originating from a legitimate company, asking the reader to provide information like a username and password.

Sometimes, these emails will direct users to phishing websites where they can steal such information directly.

  • SMS: With the ubiquity of SMS texting, fraudsters use the technology to send links while pretending to be reputable companies or offering prizes. Victims clicking the links will often follow a similar path as those targeted by email.
  • Wi-Fi Hot Spot Phishing: People often connect to Wi-Fi at remote locations, like coffee shops or other businesses, to use internet service through laptops, tablets, or mobile devices. Hackers can open Wi-Fi hot spots that look legitimate, enticing users to connect to those hot spots. Once connected, the hacker can scan all traffic (including confidential information).

Email and SMS phishing are the most common forms of attack due to our overwhelming reliance on these technologies. According to a 2021 IRONSCALES security survey, security professionals report spending a full one-third of their time addressing phishing attacks, and 90% list phishing attacks as their top concern.

How Are Spear Phishing and Whale Phishing Different?

Phishing attacks are usually most successful when the hackers can send a large volume of emails or texts to victims. While many users do not actually engage with the message, it only takes one or two successes to undermine system security completely.

A blanket approach to phishing might limit the kinds of information that an attacker can hope to steal. While low-level employees can provide access to hackers, they may only have appropriately limited access—a situation that isn’t necessarily useful for that hacker.

Hackers adjust their phishing attacks to mix up strategies and steal more sensitive information to focus on more prime targets. They do this through two different, related approaches:

  • Spear Phishing: Spear phishing, as the metaphor suggests, involves using more focused attacks to steal information. The hacker will identify high-profile targets in the organization, ranging from specialists and managers to employees working on specific projects. They’ll study their target, find information to help them trick that target, and launch one or several phishing attacks.

Spear phishing attacks are usually more sophisticated, relying on carefully crafted tricks rather than sheer numbers to succeed.

  • Whale Phishing: Whale phishing, or simply whaling or CEO fraud, is a form of spear phishing in which the hacker targets a “whale,” usually an executive.

Whaling essentially seeks to compromise the largest targets in an organization. While extremely difficult to fool individually, these whales will provide the highest levels of system access that can undermine an entire company’s infrastructure.

Why Would Hackers Attempt Whale Phishing Attacks?

Typically, most users think they are too smart to fall for phishing attacks. And, when it comes to widespread attacks targeting thousands of people, they are usually right. The strength of these low-level attacks is that they can be deployed quickly and cheaply. Even if they are less than convincing, they can be successful so long as one or two people out of thousands fall for it.

Whaling does not have the benefit of numbers. Instead, whale phishing attacks must rely on crafted tricks to trap their quarry. Furthermore, many people think that executives, the pinnacle of large enterprises, would be way too smart to fall for such attacks.

This, however, is not the case. Executives are often more likely to fall for a phishing attack because they don’t expect them. The sophistication of such attacks take advantage of the fact that executives are often simply not looking for such threats.

And, of course, the rewards for a successful whaling attack are significant. Not only will the hacker potentially receive credentials for company systems, but they can also leverage services like the executive’s business email to trick other executives into releasing information or transferring money.

What Are Examples of Whale Phishing?

While there are several examples of generic whale phishing, whaling attacks are usually high profile due to the damage they cause.

Some relatively well-known cases of whale phishing include the following:

  • Mattel, Inc. nearly lost $3 million when a finance executive was tricked into transferring the funds into a fake offshore account due to a phishing attack.
  • Ubiquiti Networks nearly lost $50 million when someone in finance transferred the money to fake vendors. The company was able to recover $8 million.
  • Australian aerospace company FACC suffered $55.8 million in losses when their chief executive officer fell for an unspecified phishing attack. He was later fired due to the loss.
  • Hedge fund Levitas suffered $800,000 in losses from an attempted $8.7 million theft when a co-founder followed a fraudulent Zoom link.

These attacks aren’t traditional spam emails. They are usually backed with convincing information, unique vectors of attack and, in many cases, fake company credentials.

Prevention is, at best, spotty. These attacks are often made to circumvent traditional security and target people themselves, which means that the best way to stop them is to train everyone on how to see the warning signs.

Mitigate Phishing Attack Vectors with 1Kosmos BlockID

No one can completely eliminate phishing attacks. However, enterprises can implement strict authentication and identity verification to make complex phishing attacks harder to pull off. With strong biometric authentication, identity verification, and passwordless security, companies can require everyone from entry-level employees to executives to follow best security practices..

1Kosmos BlockID includes the following features:

  • Identity Proofing: BlockID includes Identity Assurance Level 2 (NIST 800-63A IAL2), detects fraudulent or duplicate identities, and establishes or reestablishes credential verification.
  • Identity-Based Authentication Orchestration: We push biometrics and authentication into a new “who you are” paradigm. BlockID uses biometrics to identify individuals, not devices, through identity credential triangulation and validation.
  • Integration with Secure MFA: BlockID readily integrates with a standard-based API to operating systems, applications, and MFA infrastructure at AAL2. BlockID is also FIDO2 certified, protecting against attacks that attempt to circumvent multi-factor authentication.
  • Cloud-Native Architecture: Flexible and scalable cloud architecture makes it simple to build applications using our standard API, including private blockchains.
  • Privacy by Design: 1Kosmos protects personally identifiable information in a private blockchain and encrypts digital identities in secure enclaves only accessible through advanced biometric verification.

To learn more about the 1Kosmos solution, read our whitepaper about how to Go Beyond Passwordless Solutions. Also, sign up for the 1Kosmos email newsletter to stay informed on news and product releases.

FIDO2 Authentication with 1Kosmos
Read More
Meet the Author

Javed Shah

Former Senior Vice President Of Product Management

Javed has spent his entire twenty year career designing and building blockchain and identity management solutions. He has led large customer facing pre-sales teams, led product management for identity management platforms like the ForgeRock Identity Platform and the ForgeRock Identity Cloud. Javed has an MBA from UC Berkeley.