Whaling vs Phishing vs Spear Phishing: Changes in Tactics

What is a whaling attack?

 A whaling attack is a form of a phishing attack which involves a notably important figure in the organisation being targeted. The attack is conducted by attackers pretending to be a member of a higher rank within the organisation to gain the trust of the target. When this trust is successfully gained, the attacker aims to press for further company details, which if acquired will enable them to gain entry to sensitive areas of the organisation’s network, passwords and other account details. 

A whaling attack can occur very quickly however, typically they are conducted over the time span of weeks or months. This is because the goal of the attackers is to establish trust with the target whether they are a regular employee or a senior employee. If the attack is carried out too quickly, the target will become suspicious however, by taking the time to act as a senior employee in the targeted organisation, the targeted individual will more likely share sensitive information. 

How are whaling attacks carried out?

A whaling attack will likely begin with a communication attempt in the form of an email or office texting. If the email or message is responded to, this will confirm to the attacker that the email address or other communication channels the target uses is the right one. At this stage, there may be no reason for the target to be suspicious of the email sender due to the username being typical of the target’s associate. In some cases, the email may be fake however, convincing enough.

This stage is important from the attacker’s perspective as this when they need to establish trust with the target to further expand their attack. This may be done by sharing details with the target that the impersonated associate would know, which the attacker can gather from social media.

Once trust has been acquired, the attacker will try to gather further information from the target. Examples include pretending to forget login details and asking the target to send them or pretending to need a file while they are outside office and asking the target to send it.

Whaling vs phishing vs spear phishing

Despite whaling, phishing and spear phishing all being forms of phishing, each attack contains differences. 

Phishing involves deceiving targets into revealing sensitive information to the attacker through electronic communication such as email or SMS. Typically, through both forms of communication, the target is tricked into believing that there is an issue with an account they have for example, a bank account, and to solve this issue, they need to check their account. The target however, is redirected to a fake account where they unwittingly provide their details to the attacker.

Spear phishing is like phishing however, the difference is that the attack is targeted towards a particular individual. A characteristic common among phishing attacks is the sending of the same or similar messages to a list of email addresses or other communication channels.

Whaling is similar to spear phishing as the attack is conducted in a targeted manner. The difference however, is that in whaling the attacker impersonates an associate of the victim to gain the target’s trust. This method differentiates whaling from phishing and speak phishing. 

If successful, what exactly are the consequences? 

Whaling is a form of a social engineering attack which relies on their victim taking secondary action such as:

• Clicking onto a link which will redirect them to a site that delivers malware.
• The victim transferring their funds to the attacker’s account when they are successfully tricked.
• Mistakenly providing additional details about the business or them as an individual.

When successful, the targeted organisation may suffer from:

• Financial loss.
• Loss of data such as customer data, staff data and more.
• Reputational damage

 Recent changes in tactics

Several occurrences where a whaling email was followed up with a phone call to confirm the email request has been recorded by the NCSC. This social engineering tactic is referred to as cyber enabled fraud. The phone call acts as a dual purpose of confirming the email request and to re-affirm the target of the email’s legitimacy to avoid rising suspicion. 

Another method that is gaining traction is the use of social media to commit whaling attacks. Online social networking is a popular way for developing business contacts, recruiting employees and hosting industry related discussions. Professional and personal social media accounts however, provide a way for threat actors to research and make contact with staff in high positions in the target organisation. Social media provides threat actors enough information for them to conduct a social engineering attack, especially as victims tend to be less vigilant on social media.

Defending against whaling attacks

Defending against whaling attacks begin with educating staff about such attacks to ensure that they are consistently on guard against warning signs. Staff should be encouraged to be suspicious of all unsolicited contact, especially when important details such as financial transactions are the subject. Unexpected emails should be regarded with scrutiny at all times.

Staff should also be aware of signs an attack is being attempted for example, a spoofed email address. Hovering the cursor over the sender email address should show the full address of the email. By looking at the sender email address of the unsolicited email, it is possible to detect for differences that are not found in the legitimate email address. It is also helpful if your staff is tested in mock whaling exercises to increase their awareness.

All members of staff, especially employees in higher positions should be careful when posting information on social media sites pertaining to birthdays, hobbies, holidays, job titles, promotions and relationships as these can be used to form a convincing spoof email. 

A highly effective method of reducing the danger associated with spoofing emails is to require your IT department or staff to automatically flag and review emails from an outside source. Flagging emails will make it easier to determine which email is fake, even for those who lack cyber security awareness training.

Deploying an anti-phishing software which provides services such as URL screening and link validation is helpful. In addition to this, it will be beneficial to implement another level of validation regarding the release of sensitive information about financials.

Rather than one person being the individual that needs to sign of payments, it may be beneficial to have two people commit to this task. In the case that one employee has doubts about a certain task, they can discuss this with their colleague. This will reduce the fear that they may be singled out for disciplinary action if they refuse a task, as successful social engineering attacks revolve around the target’s fear.

About Securiwiser

We aim to provide our clients advice concerning implementation of various specific cyber security methods, some of which will be more suitable than others depending on the business type to help ensure the cyber health of our client’s system. 

We advise our clients (whether they are individual users or business owners) regarding various cyber threats that their businesses and operating systems may face. This includes increasing trends of certain threats and prevention methods that are cost effective and time saving. 

Furthermore, business owners, employees and general users may forget to conduct regular scans to monitor the health of their operating system, which criminals can take advantage of to gain unauthorised access by exploiting unrecognised, underlying vulnerabilities.

Securiwiser can conduct regular scans for your system and provide a detailed cybersecurity risk assessment and a cybersecurity vulnerability assessment. We can further explain detected vulnerabilities and risks in detail to our clients and provide the best course of action that will save your business time and money.