Blog Data Security

What is a Whaling Attack?

A whaling attack specifically targets senior management in an organization such as the CEO, CFO, or other executives, hoping to leverage their authority to gain access to sensitive data. Discover everything you need to know about this attack including tips for avoiding one with our guide.
Michael Buckbee
3 min read
Last updated October 12, 2022

Contents

    A whaling attack is essentially a spear-phishing attack but the targets are bigger – hence whale phishing. Where spear-phishing attacks may target any individual, whaling attacks are more specific in what type of person they target: focusing on one specific high level executive or influencer vs a broader group of potential victims.

    Cybercriminals use whaling attacks to impersonate senior management in an organization, such as the CEO, CFO, or other executives, hoping to leverage their authority to gain access to sensitive data or money. They use the intelligence they find on the internet (and often social media) to trick employees – or another whale – into replying with financial or personal data.

    Get the Free Pentesting Active
    Directory Environments e-book

    These attackers want to use the authority and influence of the whale to convince people not to look at or question the fraudulent request. When employees don’t look too hard at the email address or websites and just follow directions, cybercriminals can make out like bandits.

    Whaling attack statistics

    The FBI reported that companies lost nearly $215 million in 2014 as a result of phishing attacks. In 2016, the Verizon DBIR reported 61 phishing attacks targeting finance teams. That number rose to 170 in 2017 – nearly a 200% increase!

    whaling attack statistic

    How do whaling attacks work and why are they successful?

    Whaling attacks demand more research and planning than standard phishing and spear-phishing attacks. To impersonate a high-value target, they need to take the time to figure out the best way to sound like their target, find a way to approach their target, and figure out what kind of information they can get from the victims.

    Cybercriminals look at social media and public company information to establish a profile and plan of attack. They can also use malware and rootkits to infiltrate the network: an email that comes from the CEO’s account is much more effective than a spoofed email account. And when these emails include details to make the attacks seem like they’re coming from trusted entities? Even better.

    Emails are by far the most effective phishing (including whaling) method: 98% of all phishing attacks use email. In the past, phishing emails focused on including links or attachments with malware; more recently, successful whaling attacks have made a single request that seems plausible to the target.

    Whaling attack examples

    In 2016, an employee at Snapchat disclosed all of the company’s payroll data to a scammer – the employee had responded to an email that looked to be from the CEO and responded promptly. HR and payroll teams are frequent targets of whaling attacks because they have access to sensitive personal data.

    In another whaling attack, an employee at a commodities firm wired $17.2 million in several installments to a bank in China, as requested by what looked to be emails from the CEO. The company was planning to expand their business into China at the time, so the request seemed plausible enough.

    In both of those incidents, the victim failed to identify the whaling attack or ask questions to validate the request. It’s critical to train executives and staff to be vigilant and on alert for any phishing scams.

    Tips for avoiding a whaling attack

    Avoiding a whaling attack uses the same tactics as avoiding a standard phishing attack. The only difference is the high value of the target.

    5 tips for avoiding a whaling attack in list form

    • Educate employees about whaling attacks and how to identify phishing emails.
      • Train employees and executives to think with a security mindset and ask questions.
      • Check reply-to email address and validate that it’s legitimate.
      • Call to confirm unusual or urgent requests.
    • Flag all emails that come from outside of the organization – this helps highlight potential scam emails.
    • Discuss use of social media with the executive team as it relates to whale phishing.
      • Social media is a goldmine of information cybercriminals can use in their whale phishing scams.
      • Security experts recommend that members of the executive teams enable privacy restrictions on their personal social media accounts to reduce exposure of information that can be used in a social engineering scam.
    • Establish a multi-step verification process for internal and external requests for sensitive data or wire transfers.
    • Exercise data protection and data security policies: Monitor file and email activity to track and alert on suspicious behavior, and implement layered security to protect your company against whale – and any kind – of phishing.

    Want to learn more? Find out how Varonis can help you prevent and defend against whaling attacks – and protect your data and your money from being stolen.

    What should I do now?

    Below are three ways you can continue your journey to reduce data risk at your company:

    1

    Schedule a demo with us to see Varonis in action. We'll personalize the session to your org's data security needs and answer any questions.

    2

    See a sample of our Data Risk Assessment and learn the risks that could be lingering in your environment. Varonis' DRA is completely free and offers a clear path to automated remediation.

    3

    Follow us on LinkedIn, YouTube, and X (Twitter) for bite-sized insights on all things data security, including DSPM, threat detection, AI security, and more.

    Michael Buckbee
    Michael Buckbee Michael has worked as a sysadmin and software developer for Silicon Valley startups, the US Navy, and everything in between.

    Try Varonis free.

    Get a detailed data risk report based on your company’s data.
    Deploys in minutes.
    Get started View sample

    Keep reading

    Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

    lessons-from-the-goldcorp-extortion
    Lessons From the Goldcorp Extortion
    lessons-from-the-goldcorp-extortion
    Michael Buckbee
    May 5, 2016
    Unfortunately, another breach has made the headlines and it’s déjà vu all over again. The narrative surrounding the Goldcorp breach is similar to other doxing attacks: Attackers appear to have...
    what-is-a-brute-force-attack?
    What is a Brute Force Attack?
    what-is-a-brute-force-attack?
    Michael Buckbee
    July 20, 2021
    A brute force attack (also known as brute force cracking) is the cyberattack equivalent of trying every key on your key ring, and eventually finding the right one. The most basic brute force attack is a dictionary attack, where the attacker works through a dictionary of possible passwords and tries them all.
    brute-force:-anatomy-of-an-attack
    Brute Force: Anatomy of an Attack
    brute-force:-anatomy-of-an-attack
    Ofer Shezaf
    March 29, 2020
    The media coverage of NotPetya has hidden what might have been a more significant attack: a brute force attack on the UK Parliament.  While for many it was simply fertile...
    what-is-the-cyber-kill-chain-and-how-to-use-it-effectively
    What is The Cyber Kill Chain and How to Use it Effectively
    what-is-the-cyber-kill-chain-and-how-to-use-it-effectively
    Michael Buckbee
    June 20, 2016
    The cyber kill chain maps the stages of a cyberattack from the early reconnaissance stages to data exfiltration. The cyber kill chain helps us understand and combat ransomware, security breaches, and advanced persistent attacks (APTs).