Reeling in the Big Fish

With cybercriminals increasingly targeting executives, the issue of whaling attacks is something that businesses of all sizes need to consider.

What is Whaling?

Whaling is a type of phishing attack that targets an organisations leader (the big fish) or executives. A whaling attack is also known as a C-level fraud and BEC (business email scams). Usually, the emails are spoofed to appear to come from a trusted colleague or business partner and often slip through anti-spam measures.

The attacks typically involve weeks of preparation with organised criminal groups often spending weeks or months monitoring their targets online activity.

Social engineering techniques are used to glean as much data as possible on their target or seek out other potential weak links.

A common strategy, for example, sees the criminal posing as someone from the finance team. Thanks to social media accounts such as LinkedIn it’s relatively easy for them to get the personal data and information needed to launch their attack.

A scammer will also do reconnaissance on the business they’re hoping to scam. They will learn how an organisation’s emails look and how they are structured in order to make the phishing email as believable as possible.

If the scammer opts to pose as the CEO or senior executive they will target employees lower down the structural chain and ask them to transfer sensitive data or money into an account of the attackers choosing.

Posing as an exec is effective as most employees don’t want to disappoint their senior management and will often carry out the order without question. Often an employee, no matter how odd the request may be, will want to make a good impression and not disappoint their employer.

In some cases, this has resulted in the loss of millions of pounds. In January a successful whaling attack cost Austrian aircraft parts manufacturer FACC €40 million (wiping out the years profits) and resulted in the CEO and CFO being sacked.

Criminals are often opportunistic and prefer to seek out easy targets. Why waste time targeting lower level employees when you can go straight for the top? 

How to counter Whaling attacks

As 50% of whaling emails are sent to CFOs and 25% target Human Resource departments, educating employees in those departments to be aware of suspicious requests.

Whaling emails often ask employees to keep things confidential and bypass normal approval channels so employees should always double check and confirm that any unusual requests are legitimate. Calling to confirm requests should be adopted as policy.

Anyone can fall victim to a well-crafted phishing email so it’s not really fair to punish an employee who gets duped. After all, there are likely to be extenuating circumstances such as the employee dealing with heavy workloads.

When training employees they should be empowered to have the confidence to report suspicions to the relevant personnel rather than threatened with punishments if they do slip up. An atmosphere of fear is likely to make them less effective at catching any whaling attempts.

For further reading visit –

Follow us on FacebookTwitter and LinkedIn