What you and the executives in your organization need to know.

What is Whaling?  

It is a form of phishing targeted at high-level executives or other influential individuals in an organization, often those in the C-suite (CEO, CFO, CIO, etc.). Whaling is also known as CEO fraud, executive phishing, or C-level scams.   

How does it work?  

A whaling attack can happen quickly, but it is often executed over weeks or even months. Why? The attacker’s goal is to establish genuine trust with the target. Moving the attack to the next level too quickly can raise suspicion. Cybercriminals develop that trust by impersonating an associate of the victims. Once trust has been established, the target may have no problem handing over sensitive information or authorizing transactions. Whaling attacks are particularly damaging because of the high level of authority and access these targets possess.  

What are attackers trying to achieve?  

The attacker aims to gain financial gain, access sensitive data, or coerce the organization into taking specific action.   

  • Financial gain: Attackers attempt to trick executives or finance departments into authorizing fraudulent wire transfers, diverting funds to accounts controlled by the attackers.  
  • Data theft: Whalers may also steal sensitive data, such as intellectual property, financial records, or employee and customer information.  
  • Business disruption: Some whaling attacks aim to disrupt business operations by spreading malware or ransomware within the organization’s network.  
  • Identity theft: Whaling may involve identity theft, in which attackers impersonate high-profile individuals within the organization to gain unauthorized access to systems or resources.  
  • Reputation damage: Like any attack, whaling can damage the targeted organization’s reputation, particularly if sensitive information or internal communications are leaked.  

What are the types of whaling attacks?  

 Email spoofing

Threat actors will fake the email address of a trusted source, such as a company executive or business partner. By impersonating someone with authority or influence, they increase their likelihood of tricking the target into complying with their request.  

 Business email compromise (BEC)  

BEC attacks compromise legitimate business email accounts to carry out cyberattacks. Attackers gain access to an executive’s email account and use it to send messages to others asking them to transfer funds or disclose sensitive information.  

Vendor email compromise (VEC)  

VEC attacks are like BEC attacks, except that vendors/suppliers are impersonated. Attackers send the executive fraudulent invoices or payment change requests to redirect payments to their accounts.  

 Credential theft  

Attackers will use phishing-targeted emails to get high-profile targets to give away their login credentials or other sensitive information.  

 Payroll fraud  

Once they can access senior executives’ or high-level employees’ email credentials, attackers will ask the payroll or finance department to change the direct deposit information, requesting that their paycheck be sent to a fraudulent account.  

How should your organization respond if one of your executives has been a victim of a whaling attack?  

  Follow your organization’s incident response plan, including taking the following actions:  

  • Contact your IT department immediately. They will triage the incident to identify the potential impact and range of the attack, starting with, 
    • How much was the direct monetary loss? 
    • Has there been or could there be potential data breaches?
    • To what degree is there reputational damage to your organization? 
    • Take your computer offline or delete your email account to avoid spreading phishing links to your contact lists. 
    • Using another device, you should change all your passwords for the compromised accounts and those that use the same or similar passwords. 
  • Immediately contact the bank(s) where the organization’s assets are held and the executives’ private bank. 
    • Inform them of the possible transfer and provide any other payment details if applicable.
    • Ask for their intervention in preventing the transfer of funds.
  •  Contact the organization’s legal team.
    • Inform them of all the facts related to the incident. 
  • Contact law enforcement.
    • They may be able to freeze and return an organization’s stolen funds.
    • File a complaint with the FTC and the FBI’s Internet Crime Complaint Center.
  • Brief the Board and senior management. 
    • Call an emergency meeting to discuss the incident and further actions needed.
  • Report the incident to the organization’s cyber-insurance company.