How to Defend against Whaling Attacks
Email attacks have been on the rise in recent years, and not only are they growing in number, but they are also diversifying and evolving into ever-more sophisticated threats. Whaling is a specialized form of spear-phishing attack that exclusively targets high-level executives or managers within chosen organizations. Like nearly all phishing attempts, the aim of these efforts is usually to exfiltrate sensitive data, deposit a malicious payload on the recipient’s device, or persuade the user into transferring funds into a bank account controlled by the attacker.
Whaling vs. Phishing
Whaling is a strategic attack distinct from other cyber threats, such as general phishing or business email compromise (BEC) attacks. Phishing attempts are largely unsophisticated and can indiscriminately target numerous accounts all at once. Whaling differs in that it targets handpicked individuals in an organization. These targets are not just any employees, either; they are typically C-suite level executives and managers. Attackers focus on them because of their authority and level of access. This process involves tricking a C-suite executive into an action that results in them unwittingly handing over data or money to the attacker.
For example, the cybercriminal may pose as a vendor who urgently needs an invoice paid or convince the executive that they need to take certain actions to get a business deal completed. If successful, the target may end up sending funds or data directly to the attacker. Even if not, the victim could still provide them with information or access that brings them a step closer to carrying a successful attack.
Whaling vs. BEC
Like whaling, BEC attacks take aim at executives. But, in a BEC attack, the bad actor is mainly attempting to impersonate a high-ranking individual in order to deceive others (such as lower-ranking employees) in a company. Cybercriminals who employ whale phishing as their preferred method of attack tend to focus on tricking the executive rather than impersonating them.
In either case, the cybercriminals almost always need to conduct thorough research on their intended victim. In some BEC situations, they will usually start by compromising the executive's email account. After that, the preferred strategy is to remain unnoticed while collecting as much information as possible. From the vantage point of a C-suite executive's email, a bad actor can learn a lot about company procedures, who the executive regularly corresponds with, what level of authority they have, etc. Armed with that information, they can determine what actions they could take while impersonating the target that would A) not raise any alarm bells and B) accomplish the results they seek.
Why Whaling Attacks Are So Successful
Whaling works by deceiving a high-powered victim in an organization. The bad actors choose a target with a lot of authority or a top-tier title, and try to get the target to disclose sensitive personal or business information. Alternatively, the attacker could trick an individual into downloading malware by sending them compromised links and attachments that appear to be legitimate. For example, bad actors may send a spoofed email to an executive that appears to be from someone they trust (like another member of senior management).
Precision is one reason whaling attacks are so successful. Unlike typical wide-net phishing email attacks, whaling is extremely personalized and targeted. Usually, cybercriminals research the organization beforehand, find out who its most senior members are, then conduct further research on select individuals.
Their most preferred tactic involves social engineering. Less sophisticated whaling attempts may only employ generic forms of social engineering that use minimal information when tricking the victim into making a security mistake. Frequently, however, cybercriminals will invest a lot of time into a well-crafted whale phishing attempt because the potential rewards can be very high.
Preparation efforts might include gleaning information from social media profiles. They may also send emails to the organization from the outside to get an understanding of what their email signatures and addresses look like. The attackers will collect and use every bit of general information about a company as there is to be found. Names and titles of essential personnel are sometimes publicly available, and that can work to a criminal's advantage.
Overall, many of these attacks include a time-pressure element to confuse and stress the victim. Instructions stating that a wire must be made, documents sent, or invoices paid by the end of the day can be enough to motivate executives to "get the job done" without overthinking the details.
How to Protect Organizations against Whaling Attacks
1. Raise Cybersecurity Awareness
Investing in security awareness training is one of the most important steps needed to guard against whaling attacks. Because these offensives rely on increasingly more sophisticated social engineering techniques, all personnel need to be well-trained on what to look out for.
Some companies do implement cybersecurity awareness training, but they do so only minimally. A single training session is unlikely to be sufficient to make much of a difference against targeted attacks. Because threats evolve and grow over time, training needs to be ongoing to keep up with new developments.
To accomplish this, it is advisable not only to incorporate cybersecurity information in the onboarding process for new employees but also to schedule regular refresher training for all. Employee training is an essential strategy for cyber-threat preparedness.
2. Use a Machine-intelligent Email Security Solution
While an aware workforce is a critical line of defense against cybersecurity issues, organizations should also supplement their employee security awareness training with machine-intelligent email security programs. These solutions can monitor all the email communications within a company and detect the patterns that are "normal" in everyday contexts. When anomalies occur, they can flag and stop email threats before they reach employee inboxes.
For example, if a member of the accounting department is suddenly (and atypically) emailing a C-suite executive, such a system can pick up on it, flag it, stop it, and bring it to the attention of cybersecurity personnel. Without a machine-intelligent email security solution, these seemingly small aberrations might go unnoticed. That is what criminals are hoping for when initiating an attack. Thus, these systems act as a robust filter, halting whaling attacks before they have a chance to get off the ground.
If you’re looking to protect your organization against whaling attacks, xorlab ActiveGuard can help. Get a look at how the solution can work for you with a free demo.