Businesses falling victim to cyberattacks is a near-daily occurrence these days. Simple phishing scams, where an innocent click from someone employees know or an innocuous text asking to divulge digital information, turns into a loss of important data, money and privacy that can have major ramifications for an organization.
These types of attacks are moving beyond basic fraudulent communications or general social engineering schemes to steal low-level user data. Now, cybercriminals are casting their net to target even bigger but more rare phish in the sea. Cyber scams are using better research and personalization to find a way to take advantage of the senior level or C-Suite — and cybersecurity operations are falling behind in combatting these so-called whaling attacks.
What are whaling schemes?
Malicious actors used to go for quantity in an unsophisticated spray-and-pray method meant to catch a few unsuspecting people. A run-of-the-mill phishing scheme might be error-strewn by design to catch targets that are gullible enough. But there’s now a more concerted effort with the resources and knowledge to pull off high-quality attacks. Whaling schemes are related to phishing attacks in that they are aimed at high-value individuals at a given company.
Instead of any employee, they target senior executives and above by imitating even more senior executives, like CEOs, to steal money, information or personal data to execute additional cyberattacks. Cybercriminals are leveraging new techniques and technologies that allow them to be more convincing to the high-value recipient, making it difficult for individuals to identify an attack when opening a fraudulent email, direct message or text message.
In this case, targeting higher-level individuals has an added layer of power dynamics and specificity working in the scheme’s favor. Targeted individuals may be reluctant to refuse requests from direct reports or C-suite leaders because they hold outsized importance to the company. All social engineering attacks like these leverage human emotions: greed, curiosity, fear, or urgency. But whaling attacks take advantage of a person’s desire to impress bosses or even clients, and to do so quickly and without question.
The attacks also tend to be more believable because they use personalized, publicly available information from places like social media or corporate profiles. A sender’s email could even include something as simple as copied corporate logos and signatures, or as advanced as hyperlinks to fraudulent websites created solely to sell the illusion of legitimacy.
It’s a tailored approach for target individuals, meant to enact significant damage — financial or otherwise.
What can happen when an organization is attacked?
According to the FBI, cyberattacks have increased in recent years, specifically phishing attacks exacerbated by the remote-work environments caused by the COVID-19 pandemic. Google reported blocking more than 250 million COVID-19-related phishing email accounts, with nearly 18 million COVID-19-related email scams sent to victims in early 2020. As the quantity rose, so did quality. The FBI also reported that more personalized and acute whaling attacks resulted in more than $12.5 billion in losses during 2021 alone.
An HR rep at social media company Snapchat fell victim to a whaling attack, handing over lucrative and private payroll data that revealed personal employee information like stock option status and W-2 forms. Around that same time, a financial executive at toymaker Mattel mistakenly sent $3 million to a Chinese bank after supposedly being instructed to do so by the company’s new CEO. Telecom company Ubiquiti Networks also similarly fell victim to an impersonation scam that saw an individual wire tens of millions of dollars to a Hong Kong-based subsidiary. Only $8 million has been recovered so far.
Each whaling incident carries a hefty price tag of stolen money and is primarily driven by financial gain. But the perception of easily compromised data breaches and weak or non-existent cybersecurity also causes consumer and investor confidence to plummet. Bad actors could also attempt to sell stolen information on the dark web, or leverage the initial attack as the start of a greater scheme to move laterally across an organization’s network to carry out even more devastating attacks.
So, how can organizations equip senior-level employees with a plan to spot and stop a whaling scam in the wild?
How to protect against whaling attacks
1. Set up education and training sessions
Preventing whaling attacks will require continuous employee training, including setting up specific guidelines for how employees should protect their work data from whaling attacks. This involves proactively guiding teams with training sessions during onboarding and check-ins throughout their time with the company. These steps need to be an ongoing process that must be followed, ensuring there are parameters to what information can be shared, with who, when, and how as attacks become increasingly sophisticated.
Employees should also be encouraged to call out via a companywide public channel like Slack what they perceive to be suspicious behavior — if they see something, they should say something! This helps combat the stigma on employees while simultaneously familiarizing the company at large with other high-level phishing and whaling attempts. This gradual awareness also gives security teams the ability to review potential attacks at a faster speed.
2. Create new protocols
Senior leaders simply need to create new protocols on data privacy if they are to be C-suite representatives.
Executives and senior-level employees should be encouraged to use privacy restrictions on social media. Otherwise, make sure to scrub or minimize personal information from public profiles as best they can, avoiding easy informational cues like birthdays and regular locations that can be leveraged in attacks. Establishing new data loss prevention software can also utilize automation and filters to flag or block senders, new domains or suspicious terms like “wire transfer” from ever hitting inboxes.
System-wide protocols such as normalizing fonts, logos, color schemes and more on official correspondence is a small but easy step to expose potential attacks. As is practicing password hygiene. Companies like Apple are developing unique passkey software that could do away with having to memorize individualized passwords over and over again. In the meantime, it’s essential to actively monitor and change secure passwords on important accounts on a monthly or quarterly basis to reduce the risk of hacks.
Creating processes such as third-party information verification is essential, even if that involves a phone call sign-off on sending sensitive information across channels. This ensures the company has strength in numbers — scamming two people is more difficult than one. Proper corporate account verification should also involve being linked to personal devices if possible.
3. Establish an ongoing follow-up plan
Cybercriminals are constantly learning and evolving, and teams should too. Security teams can use retrospective detection of compromises to glean insights from analyzing spam emails and potential attacks. This includes learning about which individuals are being targeted or which threat actor organizations are doing the targeting.
Establishing a follow-up or rolling plan against whaling attacks and lesser phishing schemes can beat bad actors at their own game. Determining which malware or ransomware indicators of compromise (IoCs) are linked in emails and—more importantly—if there are contacts to those IoCs coming from networks will solidify against future attacks. And, while filtering and deleting spam is good, analyzing spam inboxes is better. Additionally, penetration testing and simulating attacks can go a long way in pinpointing gaps in security functions and weaknesses among employees.
Cybersecurity strategies vary depending on the needs of an organization, but one thing is certain: cybercriminals will take advantage of any fear, uncertainty, distraction or doubt. Open inboxes are the perfect hunting ground and a captive audience of targets at the highest and most lucrative levels of an organization means they don’t show signs of stopping. The security posture of IT infrastructures is of the utmost importance, but sophisticated attacks are ahead. It’s up to those companies to plan on enacting the key components to create a strong cybersecurity strategy.