For perspective, regular non-whaling phishing is usually an attempt to get someone’s login information to a social media site or bank. In those cases, the phishing email/site looks pretty standard, whereas, in whaling, the page design addresses the manager/executive under attack explicitly.
What Is the Objective of Whaling?
The point is to swindle someone in upper management into divulging confidential company information. This usually comes in the form of a password to a sensitive account, which the attacker can then access to gain more data. The end-game in all phishing attacks like whaling is to scare the recipient, to convince them that they need to take action to proceed, like to avoid legal fees, to prevent from getting fired, to stop the company from bankruptcy, etc.
What Does a Whaling Scam Look Like?
Whaling, like any phishing con game, involves a web page or email that masquerades as one that’s legitimate and urgent. Scammers design them to look like a critical business email or something from someone with authority, either externally or even internally, from the company itself. The whaling attempt might look like a link to a regular website with which you’re familiar. It probably asks for your login information just like you’d expect. However, if you’re not careful, what happens next is the problem. When you try to submit your information into the login fields, a notification appears stating that the information was incorrect and that you should try again. No harm was done, right? You just entered your password incorrectly — that’s the scam, though! What happens behind the scenes is that when you enter your information into the fake site (which can’t log you in because it isn’t real), the information you entered is sent to the attacker, and then you’re redirected to the real website. You try your password again, and it works out just fine. At this point, you have no idea that the page was fake and that someone just stole your password. However, the attacker now has your username and password to the website to which you thought you logged in. Instead of a link, the phishing scam might have you download a program to view a document or image. The program, whether real or not, has a malicious undertone to track everything you type or delete things from your computer.
How Whaling Is Different From Other Phishing Scams
In a regular phishing scam, the web page/email might be a faked warning from your bank or PayPal. The faked page might frighten the target with claims that their account has been charged or attacked, and that they must enter their ID and password to confirm the charge or to verify their identity. In the case of whaling, the masquerading web page/email will take a more serious executive-level form. The content will target an upper manager like the CEO or even just a supervisor that might have lots of pull in the company or who might have credentials to valuable accounts. The whaling email or website may come in the form of a false subpoena, a fake message from the FBI, or some sort of critical legal complaint.
How Do I Protect Myself From Whaling Attacks?
The easiest way to protect yourself from falling for a whaling scam is to be aware of what you click. It’s that simple. Since whaling occurs over emails and websites, you can avoid all malicious links by understanding what’s real and what isn’t. Now, it’s not always possible to know what’s fake. Sometimes, you get a new email from someone that you’ve never emailed before, and they might send you something that seems entirely legitimate. However, if you look at the URL in your web browser and make sure to look around the site, even briefly, for things that look a little off, you can significantly decrease your chances of being attacked in this way.
Do Executives and Managers Really Fall for These Whaling Emails?
Yes, unfortunately, managers often fall for whaling email scams. Take the 2008 FBI subpoena whaling scam as an example. Scammers attacked about 20,000 corporate CEOs, and approximately 2000 of them fell for the whaling scam by clicking the link in the email. They believed it would download a special browser add-on to view the entire subpoena. In truth, the linked software was a keylogger that secretly recorded the CEOs passwords and forwarded those passwords to the con men. As a result, each of the 2000 compromised companies was hacked even further now that the attackers had the information they needed.