Phishing is the most common type of social engineering attack that has targeted companies for years. Phishing attacks get sent out to a mass amount of people, however, company executives may get hit with something more specifically targeting them—a special type of phishing called whaling.
Whaling, which is basically a phishing attack that targets senior-level executives, is used to entice a high-profile target to click on a malicious link. This type of phishing may be harder to identify than a standard phishing attack because the attacker is willing to spend more time obtaining information and researching the target individual or targeted roles in order to craft more convincing phishing messages because these targets are much more valuable. The more detailed and accurate the use of personal information is by the attacker, the more believable and enticing the phishing message is and the greater the chance for phishing success.
So a whaling email is more personalized than a basic phishing attack which is broadcast to an entire company, or even to as many people in the world as possible. Whaling emails targeting executives may contain their corporate email, full name, mobile and work phone numbers, and other credible personally identifiable information (PII) that an attacker may discover just by searching online. These personalized whaling emails will be more convincing than a standard phishing email and are expected to result in higher success rates for attackers.
Another good reason an attacker may choose whaling as their phishing choice is because executives often have more extensive access to areas and data in a company due, of course, to the executive’s higher rank and privilege. If an phisher acquires an executive-level login credential, then the attacker will be able to access additional areas of the company and more effectively steal private data than if they merely stole any entry-level employee’s credentials. And whaling emails succeed more often because more effort and more time is spent on crafting whaling emails to make them more enticing and credible. So higher success rates and larger rewards make executives key targets for attackers.
The takeaway on whaling emails is that all company executives should be specially trained in security awareness, phishing prevention, and identification of phishing emails, along with regular company-wide training for everyone in an organization. Don’t skip your executive branch or let them off the hook when it comes to security training because they are the most at risk and most heavily targeted individuals in your organization.
Dave DeSimone is the Chief Security Officer (CSO) of Binary Defense and has 15 years of experience in various roles within information security throughout his career. Dave has worked for fortune 500 companies as well as a global law firm designing, managing, and implementing information security programs. Dave is an organizer of DerbyCon, a 3,000 person information security conference, as well as sits on technology boards of local college universities and provides insight on further bettering their information security degree offerings. Dave has also spoken at DefCon and other security conferences.