Whaling attacks are a type of social engineering used by scammers in order to trick employees into handing over money or data. Working from home means that cybercrime is on the rise, and workers aren't as alert as they might be in the office - so we're here to explain how to spot them and what you can do about them.

What is a whaling attack

What is a whaling attack?

A whaling attack is sometimes known as CEO fraud. It involves cybercriminals impersonating a company’s CEO, colleague, supplier or other trusted source in order to access sensitive data or funds.


What’s the difference between whaling and phishing?

Whaling is similar to phishing. However, where phishing scams cast a wide net with the aim of catching as many victims as possible, a whaling attack is specifically aimed at high-level targets such as CEOs or directors.

Unfortunately, these types of attacks are on the rise. According to the UK Government’s Cyber Security Breaches Survey 2020, 1 in 4 businesses experienced an impersonation attack in the last 12 months. This number is much higher for SMEs with over 50 staff, who are more than twice as likely to be targeted by impersonation threats.


How do whaling attacks work?

Cybercriminals know that employees are not always on their guard while opening emails, especially when working from home.

They target employees by sending an email impersonating the company’s CEO or another high-level executive. This is a form of social engineering, which is often successful because employees typically don’t want to disappoint or say no to the head of the company.

Those working in finance are commonly targeted, as they are more likely to have access to bank accounts and credit cards.


Whale phishing emails usually ask victims to do one of the following:

  • Transfer money to the attacker’s bank account, or provide credit card details
  • Provide sensitive information to do with the industry, customers, employees or the individual themselves, in order to carry out further attacks
  • Click on a link to a site that delivers malware

Then, if the victim believes the email, they will hand sensitive data or money straight over to cybercriminals.


How whaling attacks could affect your business

  • Financial loss: It’s all too easy for scammers to make money from careless employees. The Dutch arm of film company Pathé lost €19m to fraudsters after its CEO and Finance Director fell for a whaling attack. Plus, when you factor in fines for data breaches and potential loss of customers, the figures start adding up.
  • Damaged reputation: Needless to say, it doesn’t look great to outsiders if someone within your organisation falls for impersonation fraud, especially if a data breach is involved. You could lose customers, suppliers, partners and future opportunities due to lack of trust.
  • Data loss: Clicking on a link that infects your computer and/or network with malware can result in a huge data breach affecting your customers, employees or intellectual property.
  • Disruption: The aftermath of a whaling attack can significantly disrupt your ability to continue business operations. Customers or relevant stakeholders must be notified of data breaches, you have to try and regain any funds lost, and security measures must be reassessed to ensure it doesn’t happen again.


How to identify whaling attacks and CEO fraud

The reason that whaling attacks are so dangerous is because they are so well written and personalised that they often appear to be genuine. Whaling emails are usually sent without attachments, which makes them very tricky for anti-spam software to identify. So, it’s always best to double check before carrying out a request you’ve received by email.

Telltale signs of a whaling email may include:

  • A spoof email address which resembles that of a colleague – for example, john.smith@company.co.uk might be impersonated as @john_smith@companny.co.uk
  • A sense of urgency – this encourages victims to take action without thinking about the consequences
  • A low-effort response to a high-risk threat – for example, if we don’t pay this supplier, we will be subject to legal action
  • A strong emphasis on confidentiality – recipients are often asked not to discuss the email with anyone else to increase their chance of success
  • A change of banking details – the payment details are different to the ones you have on record


How to prevent whaling attacks and CEO fraud

To improve whaling security, businesses must have a combination of adequate cyber security measures in place. However, it’s important to remember that employees are your last – and most important – line of defence.

  • Advanced threat protection: Email security solutions like Mimecast can help protect against impersonation emails. It can detect and warn users in advance if an email seems out of place and could be a potential phishing attack by scanning the content and other email properties for anomalies such as mismatched domain and display names. This can be part of a managed security package which includes features such as 24/7 monitoring, incident response, and user awareness training.
  • Don’t overshare on social media: Whaling emails seem more genuine when they include personal or corporate information. For example, if a CEO posts that they are on holiday, a fraudster may include this in a whaling email to make it look like they need a last-minute favour as they are overseas and forgot to pay a bill.
    Encouraging employees to keep their social media accounts private, and not to overshare personal updates on LinkedIn, may help to limit any information that fraudsters could later make use of.
  • User awareness: Whaling attacks are becoming more sophisticated, which means they are difficult to spot. However, investing in training that educates users on what to look out for can help them stay alert.
  • Social engineering tests: Social engineering is a type of penetration test. It involves periodically sending out would-be phishing emails to employees to test their response. This means you can see how resilient your employees are to cyberattacks, or whether they require further training.


Want to know more?

Here at Air IT, our friendly team of experts can help with all aspects of cyber security, from user awareness to incident response. For more information on our managed packages and other services, please don’t hesitate to contact us.