Defining Whaling

Hello. And welcome to Section 1.3 of the Attacks course, Whaling. I’m Lisa Gilbert, and I will be sharing a lot of helpful information so you can understand this type of attack and defend against it. In our discussion of whaling, I will first define whaling and why it is important to understand and prevent. Next, I will discuss what attackers are trying to accomplish. Then I will explain exactly who is at risk and explore the red flags and warning signs that an attack is taking place. We will also explore some of the tactics used by attackers and I will share several real life examples. Lastly, I’ll describe how you can protect yourself and your organization from whaling attacks.

Before we can discuss whaling, we need to understand what it is. Whaling, also known as CEO fraud, is the fraudulent use of a compromised email account of a CEO or other high ranking executive. This is an even more targeted form of spear-phishing used against big fish or whales of an organization. Whaling adds another aspect of social engineering to the attack, because subordinates are reluctant to disobey important members of their organization. Let’s discuss why this is important, what bad actors are looking for, and how they carry out their attacks. What are whaling attackers trying to accomplish? There are a few primary objectives when it comes to whaling attacks.

First, the attackers are focused on gaining access to the information or accounts of a senior member of an organization. Once they have access to this information, the attack generally takes one of two forms. In many willing attacks the senior member’s information or credentials are used to craft an authorization for fraudulent wire transfers to a financial institution of the attackers choice. This attack method has resulted in losses in the billions of US dollars in the last few years. The other primary goal is to obtain W-2 or personal information for all employees. This information can then be used to file fake tax returns posing as employees. Or the employee information is simply sold on the dark web.

This happened to our teenage daughter who worked at a part time job a couple summers ago. Her identity was stolen and someone filed taxes in her name. This is still causing problems for her and for us every time we file our taxes. So who is at risk for a whaling attack? Obviously, high ranking figures within a corporation, or even celebrities or political figures are targets of whaling attacks. But as we have seen, every employee at a company, down to teenagers working part time, can suffer the results of a whaling attack.