Whaling is a type of spear phishing that targets high-profile end users such as C-level corporate executives. Similar to traditional based phishing, whaling leverages social engineering against the victim and uses some technological play in the background.
Whaling content – messaging and website are very personalised – this is personal – one on one – phishing. The social trickery is highly personalized using the victims name, job title or other relevant information. Whaling information usually leverages information gleaned from other sources, usually public – you guessed it social media. Personal information may be from other sources, previous attacks or social engineering attempts. Think of the example where criminals have socially engineered other staff, colleagues, the receptionist to reveal relevant information that can be used in future attacks.
The whaling message and call to action may take the form of a legal request, customer complaint, or an executive-level issue. The content may request the recipient to perform a task, such as providing employee records or sending a wire transfer, or contain malicious links that
when clicked and viewed have a highly professional and legitimate look and feel.
The social engineering component aims to trick the target via a messaging, usually email or instant messaging, into releasing sensitive or personal information. The messaging looks and feels like it is from a trusted source, a colleague or business partner, using a spoofed from address or other social tricks and call to action.
As whaling attacks are very targeted and well conceived they are often harder to detect than standard phishing attacks. In the enterprise, security administrators can help prevent successful whaling expeditions by encouraging corporate management staff to undergo information security awareness training. It is also important for the business to implement the appropriate cybersecurity protections including web security and zero day phishing intelligence – combined with an in place and at ready – incident response plan.