According to Deloitte, 91% of cyber attacks start with a phishing email. With an estimated 3.4 billion phishing emails sent daily, this attack method clearly remains a top choice for cybercriminals.
But not every phishing scam is the same as the next. In recent years, a new trend has emerged, known as whale phishing. As a type of CEO fraud, whale phishing targets high-ranking executives, aiming to exploit their authority and access to sensitive information.
Since executives offer a far greater potential payoff than junior and even mid-level employees, attackers who target them often dedicate considerable time and effort to crafting highly convincing, personalized messages that are far more difficult to detect.
The consequences of a successful whale phishing attack can be devastating. Attackers can leverage their “relationship” with executives to facilitate significant transfers of funds, or even reveal sensitive trade secrets and intellectual property they can sell off to competitors.
Let’s examine exactly how whale phishing works and how companies and executives can protect against these highly-targeted attacks.
Why Executives Are Prime Targets
Cybercriminals are in the business of making as much money as possible, often achieved by acquiring access to high-value digital assets. By targeting executives rather than other employees, attackers can bypass several layers of security and approval processes, opening doors to decision-making power and valuable resources.
There is often a wealth of public information available about business leaders, who go to great lengths to be visible as thought leaders with strong personal brands. They may appear in podcasts, or have active social media profiles that can provide enough insight about their relationships and allegiances that attackers can exploit.
Additionally, while executives may seem harder to reach due to their busy schedules, this can actually work in the favor of attackers. Juggling multiple high-stake responsibilities, an executive may easily fall for an attack that plays on urgency and time-sensitive requests.
For instance, Chief Financial Officers (CFOs) often review several high-ticket transactions each week. If a phishing request can mimic a legitimate invoice or transfer request well enough, it will be difficult for the executive to differentiate it from a genuine accounts payable situation. Even if the CFO knows well enough not to approve a payment, simply clicking on what looks like an invoice link can compromise their systems.
The Anatomy of a Whale Phishing Attack
A whale phishing scam typically involves a three-step process:
- First, the attackers gather as much information about the target as possible. They usually leverage social media activity, particularly on LinkedIn, or other public sources like the company’s website or public records. Depending on the level of sophistication, criminals may even study the organization’s workflows and key business relationships to make their attack as convincing as possible.
- Using the gathered information, the attackers create a highly personalized phishing message typically delivered via email. The email almost always includes an urgent request that demands the target to act now.
- If the criminals are convincing enough, and if the victim isn’t careful enough, the target complies with the request.
How to Recognize Whale Phishing Attempts
Well-crafted whale phishing attempts can be very difficult to detect. Sometimes, there are no obvious clues that something is wrong. However, there are a few things to look out for.
The main characteristic of most phishing attacks is their abnormal requests, which often have to do with revealing sensitive information, making payments, or changing standard procedures. If the email checks any of these boxes, it should immediately raise suspicion.
Most vendors or business partners will not send urgent requests or threaten negative consequences for a delay, which is often the case with phishing emails.
Another clue that may indicate a phish is a spoofed email address. Double-check the sender’s email to see if there are any slight variations or misspellings.
Finally, no matter how much time and effort the attackers spend on reconnaissance, it’s unlikely they will perfectly replicate an individual’s communication style. So, if the sender is someone you know, take note of the tone, language, or phrasing of their message to see if it matches their usual style.
So, the best policy is to treat every unexpected or unusual email with suspicion, and not interact with it in any way – including not clicking on any links or attachments until you’ve confirmed its legitimacy.
Best Practices for Executive Cyber Awareness
Raising the cyber awareness of executives and other employees should be a top priority for organizations. Simply being aware that these threats exist will make everyone more skeptical and less likely to engage with potential scammers.
The best way to raise security awareness is to conduct regular training sessions, which will familiarize executives with various cyber threats and attack tactics. In particular, simulation-based training has proven very effective for not only introducing these concepts, but also ensuring that positive behavior changes are ingrained, thanks to its hands-on approach.
As part of the training, executives must also learn how to responsibly use their social media and other public platforms to minimize the amount of personal and professional information available to potential attackers.
Special attention should also be given to other cybersecurity best practices, which include using strong passwords and enabling multi-factor authentication (MFA).
Strategies to Stop Whale Phishing
On top of training-related activities, organizations should also look into technical measures that will better protect their C-suite from scams.
These include setting up advanced email filtering systems that can spot and stop phishing emails before they reach inboxes, and DMARC protocols that authenticate email senders to prevent domain spoofing. Large transactions should follow a dual-approval process, where a second individual must verify and approve every financial transaction.
Last but not least, every organization should have a well-established and regularly updated incident response plan, which outlines the actions, roles, and responsibilities in the event of a phishing attack, or other cyber breach.
Conclusion
While whale phishing isn’t something that comes up on the news every day, it’s an emerging tactic that organizations must prepare for. It goes hand-in-hand with the rise in spear phishing, an attack where criminals impersonate executives to manipulate employees.
It’s clear that online scammers have found a new favorite method to bypass traditional security measures by going directly for the decision makers. Solid cyber hygiene practices and ongoing, simulation-based training will be key in limiting the effects of these sophisticated attacks.
