What is a Whaling Attack?

A whaling attack is a specialized attack that falls under the larger category of spear phishing.

Before we can define what whaling is, it’s important to understand what a spear phishing attack is.

Spear phishing refers to a phishing scam that’s highly customized to individual users, often within an organization. Many of the campaigns that penetrate an organization to get to employees are sophisticated enough to easily deceive any user.

The idea is to replicate an email from an actual organization or co-worker. The email address will make small, relatively indistinguishable changes to achieve this. This can involve substituting the number “1” For a lowercase letter “l” or the number “0” or an uppercase letter “O”. These seem low-tech, but to a user barely glancing at the email, it may be enough to get that user to click on a link that leads to a credential-harvesting website or a malicious document that’s hosted on legitimate cloud-storage spaces like Google Drive or OneDrive.

Whaling is even more specialized. Whaling involves the hacker impersonating a senior manager or executive—the whales of the company. Because hackers know employees are likely to do what the boss says, they try to assume the authoritative person identity and get an employee to make a bank transfer.

This requires a lot of research on the part of the hacker. To pull it off, the hacker needs to know the organization’s employees and the reporting structure. They need to understand how the executive typically writes emails and to whom they send it to. Though difficult, it can be done—and remains a major threat.

According to the FBI, whaling has taken as much as $26 million from victims. It has hit all 50 states and 150 countries, with fraudulent transfers sent to banks in as many as 140 countries. This is a worldwide problem.

Read: Gartner's Recommendation for BECs

How Do Whaling Attacks Work?

Whaling attacks are an impressive feat of research by hackers. Because they need to be believable, they have to include as much relevant information as possible. This is usually taken from public social media platforms. To make the emails seem convincing, they will include information that only those parties would know. Perhaps they reference a recent photo from a company gathering, or mention a status update, to make it seem like they’re in the know.

The hacker will take their time to create an email address that looks like it’s from the company. It may include actual logos and email signatures.

Because of the inherent trust of a senior manager of executive, these are incredibly difficult to detect on the part of the average employee. As long as the spoofed email looks close enough to the real thing, a distracted employee might not notice that it’s actually malicious.

Download Our Global Phish Report

How To Prevent Whaling Attacks

To prevent whaling attacks, you need powerful anti-phishing software.

Within hours of first deployment, Avanan's customer-specific, machine-learning social graph analyzes up to 12 months of messages and behavior. That allows us to develop a reputation matrix for identifying targeted attacks. This identifies nicknames and partner reputation, giving us a per-customer context that helps identify when an email is legitimate—and when it’s the sign of something worse.

Even better, because of our inside deployment, where we sit inline behind email, we can consistently and automatically monitor changes within the organization. Secure Email Gateways can only do this manually, which makes it incredibly easy to forget to update it for new hires or promotions. We know what types of emails are normal and what aren’t—and can alert you accordingly, in real-time.

Further, Avanan scans files and emails to look for URLs, even if recursively embedded, and actively follows links to measure domain risk and perform individual page analysis.

Our machine learning algorithm performs dynamic analysis of email, correlating over 300 (and growing) phishing indicators in every email message.

Avanan secures each individual inbox, so it can scan all email, including internal and outbound. Additionally, Avanan is the only company with a specified AI model to scan internal traffic, with indicators relevant to an internally-originated attack. As hackers infiltrate internal accounts, sending malicious content to employees, Avanan is able to identify those emails as phishing and block them.

It is with this internal context that Avanan can identify and protect against whaling attacks.

Download our Report on what ATP Misses

Final Thoughts on Whaling

Though whaling may be difficult to pull off, it doesn’t mean it can be ignored. It should be a centerpiece of a good anti-phishing security solution, along with solid user-education about the human factor in phishing attacks.

Understanding automatically how an organization communicates and building a reputation model is the best way to protect against these highly-targeted, highly-dangerous attacks.

Get a demo and find out how Avanan can catch whaling attacks before they get into your inbox

Get a Live Demo of Avanan