The human factor continues to be one of the major exploits used by cyber-criminals against enterprises, according to the Verizon 2016 Data Breach report. Phishing varieties, with whaling being a particularly fruitful technique, top the list of data breach incidents alongside ransomware.

Verizon, Kaspersky, Mimecast, even the FBI warn companies about the increase in the phishing activity, of which whaling is a sub-category. The enterprises are recommended to take precautions, tighten up their cybersecurity, increase employee awareness and training, encrypt all sensitive data and communications.


Targeting CEO and other top executives, whaling (also referred to as Business Email Compromise, BEC) technique is a targeted spear-phishing attack. It comes as an email addressed to a CEO or other senior executive of large companies. The victims share a common profile. They:

  • have access to employee or customer data.
  • have access to company accounts and can make transfers.
  • have access to confidential trade information.

A successful whaling attack aims to either steal a significant sum of money, or gain access to executive passwords, banking details, or access to enterprise hard drives, secret trade data, or even entire corporate networks.

According to the FBI, from October 2013 through February 2016, over $2.3 billion losses are attributed to whaling alone.

Signs of Whaling

Brian Krebs explains whaling emails pass spam filters because unlike mass spam campaigns, whaling emails are addressed solely to the target.

A whaling email will normally contain a detail of the victim’s personal life, for example, a time-limited family vacation offer, or a bank requesting personal information to either complete a profile or restore access to an account that would otherwise be blocked.

A common attribute of a whaling email is that it requires immediate action. It triggers a strong emotional response and is highly customized to meet a victim’s psychological profile.

Often times, whaling comes in the form of a business-critical warning, offer or invitation related to the company matters. For example, a subpoena notice from state “prosecutor” with a link to the details about the subpoena is a successful bait that targeted many US companies a few years back and had a 10% success rate.

Another type of whaling is an email that comes from within the company. Such emails appear as sent from a company CEO, or another trusted source, or a head of some department. Typically targeting accounting personnel authorized to make transactions, such emails urge the victims to make prompt wire transfers. When targeting the IT department, whaling emails from top executives request to reset their passwords.

Whaling Victims

Top company executives, accounting and IT staff are high on the list of whaling targets. Of particular interest are executives who are active on social networks – Facebook, Twitter, LinkedIn, Instagram. Since whaling campaigns are highly personalized, hackers can spend months studying their target’s personal life, family members, likes, hobbies, document their events, places they’ve been, people they have met. The hackers create a detailed personal profile on a target. Such profile allows them to create a credible pitch, a legitimate looking call to action and manipulate the victim to perform an action requested in the email.

So, any personnel with access to sensitive company information needs to view their own social media activity from whaling perspective.

Over time, whaling campaigns have become more sophisticated. Taking months to profile a target, hackers are successfully crafting emails that sound reasonable, legitimate and relevant. Whaling emails can even contain seemingly confidential information that can be verified. In reality, such information is most likely obtainable from public directories.

Social Media

Many businesses rely heavily on social media to promote brand awareness, maintain customer loyalty, do promotions, and the like. CEOs and other executives need to maintain active profiles on social media to connect to their customers. Thus, the information they share on social media becomes the pool the hackers tap when profiling their victims.

The target’s name, position in a company, hobbies, interests, family status, a charity the person is involved with, or some public movement, birth dates of a spouse or children, addresses, even obituaries become the hackers’ source of intel.

Call to Action

When a target responds to call to action that urges him/her to click on a link, a malicious code is stealthily downloaded to a target’s machine. The code can give the hacker the access to sensitive data, or company network. Such code can grant the attacker a remote access to the victim’s computer, intercept incoming and outgoing communications, capture keystrokes, take screenshots of the desktop.

How to Counter Whaling

How can IT departments and CISOs protect their companies from such a widespread and sophisticated threat? Prevention and encryption.

  • Encryption is the first line of defense. Account limitations are the second. Encrypt your corporate data– email, corporate chats, SMS, phone calls, cloud storage and local storage. End-to-end, at rest and in transit, military-grade, paranoid-level passwords and secure storage for passwords.
  • Restrict user access to data each particular employee needs, and lock out the rest. This way, in case a whaling attack is successful, the attacker will only gain a fraction of the data that is available to one employee. In other words, don’t keep all eggs in one basket.
  • Deploy two-factor authentication wherever possible.
  • Prevention goes down to increasing the employee cybersecurity awareness. As much as businesses do not wish to spend working hours on cybersecurity training, it is an essential means of increasing the threat awareness among personnel.
  • Another successful tactic many companies are going back to now is old-school “keep in touch” method. Should an accountant receive an urgent request for a wire transfer, or an IT staff receive a request to reset a password for a top executive, they then make a personal phone call to double-check the authenticity of the request. This might slow down operations to some extent, but it also minimizes the risks.
  • When employees are aware of the whaling techniques, they can report to their IT department in a timely manner, and have them double-check the suspicious requests.
  • Gathering intel on your own company’s susceptibility to whaling attacks is another recommended technique. See what’s on your top executives, ITs, and accountants social networks accounts, and how it can be used against your organization.
  • Review your policies. Do not allow posting company-related data on your employees’ social media personal accounts. In a perfect scenario, minimize the exposure of your top executives to social media.


Join FortKnoxster and start protecting your online privacy.


Visit our Facebook page and Twitter page for more inspiration.