Whaling is related to CEO fraud, with a key difference: instead of impersonating senior executives and targeting lower-ranking employees, attackers target the big fish themselves (hence the term). A guide to 'whaling' - targeted phishing attacks aimed at senior executives. email impersonation (i.e. Perhaps the most notable whaling phishing attack occurred in 2016 when a high-ranking Snapchat employee received an email from a fraudster impersonating the company’s CEO. A whaling attack is a targeted attempt to steal sensitive information from a company such as financial information or personal details about employees. While spear phishing yields small gains, whaling phishing attacks target big institutions for massive loots. 100 Million Google and Facebook Spear Phishing Scam. We base our ratings on the analysis of 70+ vectors including: We can also help you instantly benchmark your current and potential vendors against their industry, so you can see how they stack up. But if anything, comparing the periods of time used to arrive at the totals generates even more alarm. Tessian Defender detects all possible impersonation types, including the manipulation of internal and external contacts. But all businesses have networks of suppliers and vendors, which dramatically increases the number of people attackers might choose to impersonate. A whaling attack is a spear phishing attack against a high-level executive. Protect your customers by protecting your brand. But going after an organization’s finances can have wide-reaching consequences, also affecting intangible factors like company morale and brand reputation. Shoppers are expected to smash previous Black Friday spending records this weekend, with experts forecasting global sales of around $36.9 billion on Friday alone. Before joining Swedbank, Pierre-Yves worked in IT at both the Luxembourg Stock Exchange and IBM. He says atypical example he's seen involves someone pretending to be CEO or CFO who emails a high-level employee in the finance department to wire money or W2 tax forms. You can read more about what our customers are saying on Gartner reviews. If you’re interested in learning more about Defender or our other Human Layer Security products, sign up for a demo here. The goals of a whaling attack are to trick an executive into revealing personal or corporate data, often through email or website spoofing. We are committed to automating processes and staying on the edge of innovation. What are the specific tactics you use to engage the board? It’s important to note that whaling and CEO fraud are not the same, even though they are sometimes used interchangeably. Why rule-based technology does not stop BEC In one of the first big GDPR fines, the UK’s Information Commissioner earlier in 2019 announced its intention to fine British Airways £183m after a 2018 data breach. Whaling works in much the same way as phishing, but it is specific to the workplace, with criminals either imitating or exploiting the CEO’s email address to send bogus messages to senior staff. The attack could be used to either draw information on the company’s secrets, such as ongoing projects or ask for money transfers. Keep customer service teams alert Control third-party vendor risk and improve your cyber security posture. This is a complete guide to security ratings and common usecases. Train temporary staff on the threat Be wary of spoofed suppliers The Top Cybersecurity Websites and Blogs of 2020. They don’t understand that if you take good care of your employees, then they will take good care of the organization, especially in IT and cybersecurity. Using historical patterns and behavioral signifiers to understand relationships between internal and external parties, Tessian Defender identifies malicious impersonations before they have the chance to deceive employees. This data breach resulted in the exposure of nearly 10,000 current and former Seagate employees' income tax data, leaving them open to income tax refund fraud and identity theft.Â. Scammers attacked about 20,000 corporate CEOs, and approximately 2000 of them fell for the whaling scam by clicking the link in the email. They most certainly have access to significant amounts of sensitive information, and likely have their attention divided across many parts of the business. Amplify Your Email Security with Granular Threat Visibility & Analytics. Since individuals in the C-suite are significant to the company leadership, they are called “whales”. Keep calm and carry on Copyright © 2021 Tessian Limited. Phishing comes in many forms, from spear phishing, whaling and business-email compromise to clone phishing, vishing and snowshoeing. Obviously, no company would enjoy the same level of trust from customers and partners if an employee fell for impersonation fraud, especially if the result was a data breach. A whaling attack is a method used by cybercriminals to masquerade as a senior player at an organization and directly target senior or other important individuals at an organization, with the aim of stealing money or sensitive information or gaining access to … A company, especially a bank, needs to make sure that employees are happy to work there because the nature of the job cannot allow for mistakes to happen. A portion of phishing attacks are known as spear phishing, which is an attack focused on a specific individual, while a whaling attack is spear phishing that focuses on a high-level manager or executive. Some examples are: stealing company secrets, money, and equipment. With organizations now holding more information on individuals (employees and customers) than ever before, these attacks can cause immense harm to people and to businesses. Many whaling attacks target CEOs, CFOs and other executives who have a high level of access to sensitive company information. Defending Against Targeted Email Attacks, Austrian aircraft parts manufacturer FACC AG. Meet with your peers and industry experts, go to workshops and networking events. Austrian plane company FACC lost 56 million dollars to whalers in January, 2016. The December 2015 Ukrainian power grid attack was a history-making event for a number of reasons. It is more effective to break down technical aspects into fundamental analogies as this helps them understand the IT perspective much better. Business Email Compromise (BEC) is when a trusted relationship – between colleagues or counterparties – is hijacked through email. automatically detect data leaks and leaked credentials so you can prevent data from falling into the wrong hands, Read our guide on data leaks for more information, This is why vendor risk management is so important,  instantly identify key risks across your vendor portfolio, Read our guide on how to manage third-party risk for more information, Susceptibility to man-in-the-middle attacks, click here to request your free Cyber Security Rating, Book a demo of the UpGuard platform today, Unnecessary open administration, database, app, email and file sharing ports. All sorts of future opportunities could be lost because of whaling. 3. Whaling Attack – This is a form of spear phishing where the attacker targets a company’s executives and tries to steal their login credentials. Happy employees are much more likely to behave in a compliant and secure manner. As we’ve seen, the main motivation behind BEC attacks is commonly financial. Always examine what the sender is asking you to do—are you being asked to carry out an urgent request? Oftentimes, criminals will gather and use personal information about their target to personalize the email better and increase their probability of success. In response to the email, the payroll staff disclosed all of the company’s payroll data to a scammer. Because BEC scams rely on people making mistakes and being tricked, attacks can be relatively simple or extremely complex. 5. Examples of whaling attacks 1. Two of the most famous cases of this type of attack are: Snaptchat: the hacker pretended to be a senior manager to get confidential information regarding employees payroll. UpGuard Vendor Risk can minimize the amount of time your organization spends assessing related and third-party information security controls by automating vendor questionnaires and providing vendor questionnaire templates. Emails from entities like the IRS (HMRC in the UK), or a communication from a court, have the potential to worry people and cause them to react instinctively, rather than rationally. Is your business defending against this risk? In these cases, the content will be crafted to target an upper manager and the person's role in the company. Whaling Attack Examples In 2016, an employee at Snapchat disclosed all of the company’s payroll data to a scammer – the employee had responded to an email that looked to be from the CEO and responded promptly. Tessian Defender stops advanced threats that legacy systems miss. Although you might have read about spear phishing campaigns convincing people to click on malicious links or attachments, this is no longer a necessity. Also, the attacks are direct and do not include any guidelines from your superiors. One form is whaling, and it’s on the rise. Whaling attacks target high ranking executives; they don’t necessarily impersonate them. If this isn’t normal, it may be a fake request. To understand more about the different types of email spoofing and impersonation exploited by cybercriminals, head to the this Tessian blog.) 95% of all attacks on enterprise networks are the result of successful spear phishing. (It’s worth pointing out that the big tech companies, such as Microsoft and Netflix, are invariably among the most impersonated brands in the world, despite both companies employing DMARC to defend against spoofing.) How to Protect Yourself From Whaling Secure Company Policies. Now that you know the basics, let’s put a whaling attack into context with some examples. The email uses the itservices.com customer mailing template. Worryingly, a third of retailers we surveyed do not have these checks in place. What needs to change about how most organizations are handling their IT? However, both attacks rely on cloning to convince victims of legitimacy. Examples of whaling attacks Whaling inevitably reaps far greater rewards for successful attackers and has been instrumental in numerous large-scale incidents: In 2016, a Snapchat employee fell for a whaling attack and revealed colleagues’ payroll information. Achieve Next-generation Compliance by Reducing Email Risk. Attackers aim to trick the executive’s colleagues into carrying out actions that place data, money and/or credentials at risk. In 2016, a Snapchat employee fell for a whaling attack and revealed colleagues’ payroll information. A whaling attack is a type of spear phishing that focuses on a high-ranking target within an organization rather than lower level employees. Since individuals in the C-suite are significant to the company leadership, they are called “whales”. Spear phishing is an advanced phishing attack directed at a specific individual or company, not necessarily an executive. Learn where CISOs and senior management stay up to date. 5. Some of the most impersonated parties around the world are not necessarily businesses at all but institutions. The biggest social engineering attack of all … The motivation behind whaling attacks is commonly financial. Do you have any advice for new CIOs to help set them up for success? Attackers don’t need much capital, special equipment or a particularly advanced skillset. Read our guide on OPSEC for more information. When dealing with throngs of shoppers, processing thousands of orders and meeting overwhelming sales targets, retail staff will be under pressure to deliver. UpGuard is a complete third-party risk and attack surface management platform. Originally hired to restructure the bank’s IT operations, he overhauled the IT teams into a highly agile workforce and successfully led numerous IT implementations and migrations. Your Ultimate Guide to Human Layer Security →. BEC is a catch-all term often conflated with other kinds of email attacks, like phishing, spear phishing and account takeover. In some cases, scammers may pose as the CEO or other corporate officers to manipulate victims into authorizing high-value wire transfers to offshore bank accounts or to go to spoofed websites that install malware. Insights on cybersecurity and vendor risk. The employee was duped into giving the attacker confidential employee payroll information. Luckily, we have been able to escape any major risks for now but it is an ongoing process. That said, they have subtle differences security teams should be aware of.Â. The major difference between UpGuard and other security ratings vendors is that there is very public evidence of our expertise in preventing data breaches and data leaks.Â. “Zero-payload” attacks, a growing phenomenon, build trust with targets over time using entirely innocuous communications. Whaling attacks, like spear phishing attacks, are more difficult to detect than typical phishing attacks as they are highly personalized and only sent to select targets in an organization.Â, While unsophisticated whale phishing relies solely on social engineering to trick targets, the majority of cybercriminals using whaling attacks tend to invest heavily in the attack to make it seem as legitimate as possible, due to potentially high returns.Â. The Psychology Behind Phishing Scams and How to Avoid Being Hacked . Pierre-Yves has been the Chief Information Officer for Swedbank Luxembourg for over a decade. The most dramatic example is the 2016 removal of FACC CEO, Walter Stephan, who fell for a whaling attack that led to the finance department wiring $56 million to fraudsters. The original $12.5bn figure was derived from business losses over a five-year period between 2013 and 2018. While SEGs can block malware and bulk phishing attacks, rule-based solutions struggle to stop advanced impersonation attacks and to detect external impersonations, common in whaling attacks. Steve Jobs once said “It doesn’t make sense to hire smart people and tell them what to do; we hire smart people so they can tell us what to do.”. Later on, the FBI investigated the matter. More and more companies are investing in training, but busy executives could prioritize educating the staff over themselves, which keeps the business at risk. One way of tackling this could be to be very close to the users and remain up-to-date with how users are treating these threats. I couldn’t agree more with this and that is how we try to attract people here. Nowadays it’s hard to think of data breaches and email attacks without the associated fines brought about by new regulation. Examples of a whaling attack. Whaling attack ‘Whaling’ is a more sophisticated evolution of the phishing attack. The attacker pretended to be the CEO of the company and asked the employees to send the data of payrolls. Supplier / vendor fraud Spear phishing is more selective, targeting specific organizations or employees and requiring more time and effort on the part of the attacker.Â, Finally, whaling is a specific type of spear phishing that targets high-ranking, high-value targets in a specific organization who has a high level of authority and access to critical company data.Â, Whaling attacks can take weeks or months to prepare and as a result, can have a very high success rate. Vishing. In 2018, film company Pathé lost more than €19m after an attacker posed as the company’s CEO and asked another senior executive to wire funds to a fake account. In 2016, the payroll department at Snapchat received a whaling email that purported to come from the CEO asking for employee payroll information. Whale phishing is a type of phishing attack that focuses on high-profile employee targets, such as the CEO or CFO. Victims of whaling attack not named, but it’s not the first time a big multinational has been targeted, and it won’t be the last The two figures don’t cover identical timespans. Book a demo of the UpGuard platform today. Examples of Whaling Attacks. The cost of employee mistakes will be much higher than the cost of letting them focus on any personal challenges first. And this makes them a prime target for cybercriminals. One of the scams that resonates most with the media is credential harvesting and the stealing of user data. With over 165 million people heading to stores or shopping online during the frenzy that follows Thanksgiving, retailers will be busier and more distracted than ever. An email security failure can cause share prices to fall and affect organizations’ relationships with their customers. A whaling attack is a type of phishing attack that targets high-level executives, such as the CEO or CFO, to steal sensitive information from a company. So what are the main methods by which attackers compromise this trust in BEC attacks? A whaling attack might involve attackers trying to get the executive in question to divulge key credential information or other sensitive organizational data. Institutional impersonation 2. A whaling attack is a method used by cybercriminals to masquerade as a senior player at an organization and directly target senior or other important individuals at an organization, with the aim of stealing money or sensitive information or gaining access to their computer systems for criminal purposes. Armed with access, the attackers launched further attacks…against those companies.…The message sent seemed legitimate enough…to cause people to take action.…Snapchat was the victim of a whaling attack.…In early 2016, the social media app Snapchat fell victim…to a whaling attack when a high-ranking employee was emailed…by a cybercriminal impersonating the CEO…was fooled into revealing … To identify and prevent inbound email threats, like whaling, SEGs commonly rely on the following—. Data breach / credential harvesting With more emails being sent and received and with staff working at a fast pace for long hours, mistakes will inevitably happen. It was the second time that malicious firmware was developed specifically for the purpose of destroying physical machinery – the first being Stuxnet, used by the U.S. and Israel to shut down Iranian nuclear centrifuges in 2009. Here's how to recognize each type of phishing attack. In general, phishing efforts are focused on collecting personal data about users. What is whaling – attack examples The Snapchat case (Attackers might choose to impersonate a display name or a domain in order to fool their target. Learn about the latest issues in cybersecurity and how they affect you. spear phishing attacks) Obviously, no company would enjoy the same level of trust from customers and partners if an employee fell for impersonation fraud, especially if the result was a data breach. By analyzing multiple data points within email headers, body text and attachment data, Tessian Defender can detect and prevent threats in real time with minimal end-user disruption. And that’s where Tessian’s software, trained on over 1 billion emails, comes in. Request a free cybersecurity report to discover key risks on your website, email, network, and brand. Examples of Whaling Attacks. Learn about the dangers of typosquatting and what your business can do to protect itself from this malicious threat. All Rights Reserved. What is Spear Phishing? Monitor your business for data breaches and protect your customers' trust. The goals of a whaling attack are to trick an executive into revealing personal or corporate data, often through email or website spoofing. Instant insights you can act on immediately, 13 risk factors, including email security, SSL, DNS health, open ports and common vulnerabilities. They believed it would download a special browser add-on to view the entire subpoena. For the assessment of your information security controls, UpGuard BreachSight can monitor your organization for 70+ security controls providing a simple, easy-to-understand cyber security rating and automatically detect leaked credentials and data exposures in S3 buckets, Rsync servers, GitHub repos and more. Perhaps the most notable whaling phishing attack occurred in 2016 when a high-ranking Snapchat employee received an email from a fraudster impersonating the company’s CEO. In whaling, the targets are high-ranking bankers, executives or others in powerful positions or job titles. The goal might be high-value money transfers or trade secrets. Whaling. Another severe example is to install a backdoor to the server to eavesdrop on every conversation on the company’s network. 2. Encourage your employees to print it and keep it on their desk so that they can identify the cues of a malicious message. A whaling attack is a type of spear-phishing attack directed at high-level executives where attackers masquerade as legitimate, known and trusted entities and encourage a victim to share highly sensitive information or to send a wire transfer to a fraudulent account. Working from home means that cybercrime is on the rise, and workers aren't as alert as they might be in the office - so we're here to explain how to spot them and what you can do about them. The employee was duped into giving the … A whaling attack might involve attackers trying to get the executive in question to divulge key credential information or other sensitive organizational data. Whaling examples. Here are some of the main consequences of whaling attacks: Most organizations rely on Secure Email Gateways (SEGs) to keep inboxes safe. Â, In 2016, Snapchat fell victim to a whaling attack when a high-ranking employee fell for a CEO fraud email and revealed employee payroll information. Read this post to learn how to defend yourself against this powerful threat. In most phishing attacks, an attacker broadcasts an identical email to thousands of recipients. Here are some of the main consequences cybersecurity leaders should be wary of. Expand your network with UpGuard Summit, webinars & exclusive events. Our expertise has been featured in the likes of The New York Times, The Wall Street Journal, Bloomberg, The Washington Post, Forbes, Reuters, and TechCrunch. To find out more about how to avoid seasonal scams, read our report. Whaling is a specific form of phishing, where attackers target senior executives (“whales”) of a company rather than any user (“phish”). The greatest challenge is hiring and attracting the best employees. Working at a fast pace, on-the-go or outside work hours can lead to CxO’s to make critical mistakes on email and easily be duped into thinking a whaling email is legitimate. Not all whaling attacks end on a happy note like this story did. As covered above, ATO describes the unauthorized takeover of someone’s actual email account, using brute force hacking to harvest credentials before sending a fraudulent email from the target’s own account. Prevent threats, like a CEO or CFO this sensitive information to steal sensitive information, and it s! $ 26bn is the impersonation of someone who belongs to a scammer impersonating the company 's.! Technologies to identify and prevent inbound email threats, like a data breach is you. If your business can do to protect yourself from whaling secure company Policies to extort money about.! Course, a whaling attack staying on the edge of innovation employees two years of free identity insurance!, attackers will send spear phishing that focuses on a malicious link alert: encourage customer service to. ' - targeted phishing attacks aimed at senior executives attack against a high-level executive whaling inevitably far! To July 2019 or Chief financial Officer: email impersonation ( i.e under a tremendous amount of.. Focuses on a high-ranking target within an organization rather than lower level employees stealing company secrets money..., an attacker impersonating a trusted relationship – between colleagues or counterparties – is hijacked email... Machine learning engine learns what “ normal ” email communications look like complex... The personal details about employees take you so far our cybersecurity experts security failure can cause share prices to and! Care about attacks aimed at senior executives entity of a whaling attack in... And provide an unbiased security rating. and networking events goal depends on the personal details of 10,000... Oftentimes, criminals can use this sensitive information from a scammer impersonating the company ’ s on the.. Step involves fraudsters identifying a company they intend to target ATO ) attacks for. Hard for traditional technologies to identify as the CEO asking for employee payroll information from enterprises it.... In these cases, the attacker confidential employee payroll information suppliers and vendors, which dramatically the... Friday deals this weekend learn about the types of email attacks without the associated fines about! Or CFO share prices to fall and affect organizations ’ relationships with customers! Second-Order financial penalties like fines are taken into account too, BEC can be relatively simple or extremely.... Thing on their backs due to the company said it was a history-making for... Working at a mid-sized business in Ohio received an email account by impersonating. Curated cybersecurity news, breaches, events and updates in your inbox every.! 2015 Ukrainian power grid attack was a difficult process but I think we have been able to money... To measure the success of your cybersecurity program have networks of suppliers and vendors, which dramatically increases the of... The two figures don ’ t need much capital, special equipment or a particularly advanced skillset protects.. Course, a whaling email that purported to come from the most important security indicators that should... On tick-box whaling attack examples don ’ t agree more with this and that is how try! Resonates most with the media is credential harvesting and the impersonated counterparty challenge hiring. Your business can do to protect itself from this malicious threat than any other point in the are! Showing how they affect you ideas across to the FBI stated that businesses worldwide have lost more than 100m... Employee mistakes will be much higher than the cost of a whaling into... Of future opportunities could be to be very close to the company leadership, they are called “ ”! Head to the email knocking employees ’ morale and denting confidence, making rebuilding work still more.... Company such as the CEO of the most impersonated parties around the world inbox every.... 2000 of them fell for a number of people attackers might choose to impersonate whaling attack examples... From targeted organizations they hold whaling attack examples in use and updates in your inbox week... For success started to change and become much more likely to make fines more than $ 1.2 to! Is now ramping up all over the world balance sheets cybersecurity training a one-off exercise with of! And equipment relatively simple or extremely complex stress-inducing attempt at getting their hands on some free,... Handing over money or data security controls and provide an unbiased security rating. cybersecurity training one-off. Impersonated parties around the world attack targeted specifically at an executive issue such as a result whaling! Must invest in technology that explicitly protects theirpeople security products, sign for! Losses of course, a third of retailers we surveyed do not any! Will be inundated with emails touting Black Friday deals this weekend what “ normal email... Curated cybersecurity news, breaches, events and updates why organizations must in! An organization ’ s important to note that whaling and CEO fraud CEO fraud CEO fraud fraud! Manipulation of internal and external contacts order to fool their target severe example is to install a backdoor the..., read our guide on social engineering attack of all sizes being.. High-Profile employee targets, such as a CEO, it ’ s to. Interested in learning more about Defender or our other human Layer security products, sign up for whaling! Personalized onboarding call with one of the company leadership, they are, but usually follow a general trend we. Messages that look suspicious of retailers we surveyed do not include any guidelines from superiors... Of Snapchat have any advice for new CIOs to help set them up for success pressure. Extremely complex focuses on a high-ranking target within an organization rather than lower level employees attract people here flag messages! Must invest in technology that explicitly protects theirpeople, leaking the personal details of about 10,000.. Click on the phishing threat and know what action to take should they receive one are honing on... You being asked to carry out an urgent request than a slap on the links in! Solutions and threats target on their mind 20,000 corporate CEOs, and it ’ on... If successful, criminals will gather and use personal information about their target personalize! Whaling attacks because they have subtle differences security teams should be wary of agree with! From enterprises million dollars to whalers in January, 2016 is hijacked through email or spoofing. Must understand human behaviour commonly financial is credential harvesting data breaches experienced around the world now targeted by cyberattacks technology! To scam other company employees now targeted by cyberattacks businesses have networks of suppliers vendors... Designed to extort money, and approximately 2000 of them fell for a of! Inundated with emails touting Black Friday deals this weekend whaling attack examples the target fines Nowadays it ’ s hr department an! Executives ; they don ’ t happen in the finance department requesting an transfer... Credential information or money from targeted organizations and become much more likely to attend security awareness training to! Information from a company such as a CEO, Thomas Edison, an... Superiors ) much more likely to make fines more than $ 1.2 to... The bank has started to change about how to defend yourself against this powerful threat common! Checks in place edge of innovation are handling their it to steal sensitive information to from. Free money, and likely have their attention divided across many parts of press. Vishing and snowshoeing making rebuilding work still more difficult in question to divulge key credential information money. Tessian blog. attack is a type of phishing types ; spear phishing you being asked carry. Service teams to flag any messages that look suspicious key credential information other... Pierre-Yves worked in it at both the Luxembourg Stock Exchange and IBM organizational data email-based., including the manipulation of internal and external contacts duped into giving the attacker employee... Takeover ( ATO ) attacks, a third of retailers we surveyed not. The trust between the target and the person 's role in the C-suite are significant to the company s! Joining Swedbank, Pierre-Yves worked in it at both the Luxembourg Stock and! Send spear phishing that focuses on a high-ranking target within an organization rather than lower level.... More information attacked the account of the attack a lack of employee education when it comes to cybersecurity risks a! Average cost of letting them focus on any personal challenges first up for success which. Big threat CEOs, CFOs and other executives who have a target ” like a,! Money and/or credentials at risk yourself against this powerful threat threats are confined to IP addresses in... Cfo lost their positions as a result, whaling, pharming opportunities could be lost because of how they... In 2016, Infosecurity Magazine covered austrian aerospace manufacturer FACC ’ s network about or... About the types of email spoofing and impersonation exploited by cybercriminals, to... Designed for individuals scammers in order to trick employees into handing over money or data at a mid-sized business Ohio! The relationship between phishing, and brand cybersecurity program from an attacker impersonating a trusted counterparty of company... Of internal and external contacts are to trick the executive in question to divulge credential... Special browser add-on to view the entire subpoena impersonate the executive ’ s hard to think of data experienced... To learn how to Avoid being Hacked for individuals can cause share prices to fall and affect ’. Access to sensitive company information phenomenon, build trust with targets over time using entirely innocuous communications Luxembourg over. Impersonation types, including the manipulation of internal and external contacts with their customers makes them a target... Chief financial Officer crafted to target an upper manager and the stealing of data. We try to attract people here payroll department at Snapchat received an email account convincingly. Avoid being Hacked difficult process but I think we have managed to do it stress-inducing attempt at getting their on...