Whaling: Phishing for the Big Ones

You may have encountered the term “whaling” when IT people talk about spam email. It’s like phishing, but it directs its bait at really big prey.

Phishing is email designed to trick people by pretending to come from a legitimate source. The sender hopes the victim will open an attachment, click a link, divulge a password, or otherwise do something that will open a security hole which the attacker can exploit. Often it directs the recipient at a website that impersonates a government agency or business.

Spearphishing is targeted phishing, using information about the recipient to increase its plausibility. Unlike the usual kind, which can go out to thousands of recipients in the hope that some will fall for it, spearphishing tries to increase its chance of success by claiming to come from someone the recipient knows or incorporating personal information in the message. When spammers can grab someone’s address book, they can use it for sending that person messages that seem to come from acquaintances, or vice versa.

Whaling takes this a step further by targeting or impersonating high-level people in a company. The goal is to get the executive to provide access to confidential information, or to use the power of authority to trick employees. The forger does serious research to make the message appear authentic.

Whaling attacks have been growing in number. One tactic is to send an urgent request, apparently from the CEO, directing the accounting department to transfer funds promptly to an outside account. Another is to send what looks like a subpoena, requiring the executive to download information or open an attachment.

In 2008 a sophisticated whaling email went out to about 20,000 corporate executives, identifying them by name, and claiming to inform them of a subpoena. Several thousand computers were compromised. Even antivirus software did poorly at stopping the attack. Federal officials got hundreds of calls from people who had the sense to ask about the messages they’d received.

Domain spoofing lets the fraud operators send messages from addresses that look like the company’s address. If the president’s email address is president@examplebusiness.com, a criminal might register examp1ebusiness.com, with the digit “1” replacing the letter “l.” This can help in bypassing forgery checks, since the sender isn’t actually forging the president’s address. Also, any replies will go to the criminal and not the president.

To avoid becoming the target of a whaling attack, it’s important to remember how vulnerable email is to deceptive practices and not take unusual requests at face value without confirmation. An organization should have a process for authenticating requests for money transfers, using a channel other than email.

Digitally signed email can provide protection. This approach adds data to the email which confirms that it comes from the claimed sender and that it hasn’t been tampered with. Forgers can’t generate a valid signature without information which is private to the account owner.

It’s useful to remember that official government notices demanding action rarely come out of the blue by email. Recipients should assume any such mail is fraudulent till proven otherwise.

Senior executives should be careful of how much information they publish about themselves on social media. The more they reveal, the easier it is to impersonate them or personalize messages to them.

Training can reduce the chances that executives and employees will fall for phishing email. Exercises with whaling messages based on real-life models can find out how many people they deceive and how people can avoid being fooled in the future. Executives may think they’re too busy to participate in security training, but their status as prime targets makes it important for them to learn what precautions to take. Administrative assistants, who handle much of the mail for the executives, also need this training.

Whaling and other forms of phishing play on people’s psychology and trustfulness. People need to learn an appropriate level of skepticism about any email they receive.

Looking for help in solving your IT problems? Contact us.