4920 Constellation Drive
White Bear Township, MN 55127-2218
help@chipscs.com | 651.407.8555
Schedule Now
Whaling scams are increasing at an alarming rate. Find out what whaling is and how you can protect your business from this type of attack.
Whaling scams are increasing at an alarming rate. In just a year, the number of attacks has risen 131%. Companies are the primary targets so it is important for you to be familiar this type of phishing and how to protect your business from it.
Whaling Basics
A whaling attack is a high-stakes spear phishing scam involving a high-level official in an organization, such as a chief executive officer (CEO), director, or prominent manager. Whaling attacks are also referred to as business email compromise (BEC) attacks and CEO fraud scams.
There are two main variations of whaling scams:
No matter the variation used, the cybercriminals perform extensive research to learn about the target, the person they are impersonating, and the company in general. That way, they can make the whaling email highly personalized and seemingly legitimate.
Whaling emails almost always include a deceptive sender email address. Scammers use a variety of deception techniques. Sometimes, they use spoofed email addresses that are nearly identical to their legitimate counterparts. Other times, they hijack the email account of the person they want to impersonate and use the hijacked account to send the whaling email. The target won’t know that the email is actually from a cybercriminal masquerading as the CEO rather than from the real CEO.
Scammers occasionally get creative. For example, if they are impersonating an executive and their research reveals that he will be on an overseas business trip for several weeks, they might create an email account that is supposedly the executive’s personal email account. Then, when the executive is on the trip, the cybercriminals will use the faux personal account to send the whaling email. The email will include a plausible reason why the personal account is being used, such as “I’m sending this via my personal email account because I couldn’t access our company’s email system from my hotel.”
Table 1 highlights other aspects of whaling emails. It also compares whaling emails to spear phishing and classic phishing emails.
Table 1. Comparison of Whaling, Spear Phishing, and Classic Phishing Emails
Whaling Emails | Spear Phishing Emails | Classic Phishing Emails | |
Target | Businesses | Businesses | Individuals and businesses |
Distribution size | One person typically | A small number of people | An extremely large number of people |
Personalization | Highly personalized | Moderately personalized | Not personalized |
Greeting | The email recipient’s name | The email recipient’s name | No greeting, a generic greeting, or the recipient’s email address |
Tone of message | Professional tone | Professional tone | Urgent tone |
Desired action | Varies (e.g., send a wire transfer) | Click a link or open an email attachment | Click a link or open an email attachment |
Context in which the call for action is presented | Context is highly personalized and makes sense to the recipient | Context is personalized and makes sense to each recipient | One-size-fits-all context that might not make sense to some recipients |
Has a deceptive sender email address | Almost always | Often | Sometimes |
Includes misleading links | Sometimes | Often | Often |
Has a weaponized email attachment | Sometimes | Sometimes | Sometimes |
Whaling Scams Cost Companies Big Bucks
One reason why the number of whaling scams keeps increasing is that this type of scam is bringing in big bucks for cybercriminals. For example, cybercriminals conned AFGlobal Corporation out of $480,000. Masquerading as the company’s CEO, the cybercriminals sent an email to the accounting director, informing him that he was assigned to work with a certain individual named Steven Shapiro on an acquisition. The alleged Shapiro contacted the accounting director via email and phone, requesting that he transfer $480,000 to a bank in China for the acquisition. The accounting director sent the money. A week later, he received another request from Shapiro to transfer an additional $18 million. At that point, the accounting director became suspicious and did not send the money.
In another case, a Wisconsin business fell victim to a highly sophisticated whaling attack, sending more than $1.6 million to the perpetrators. Before a single email was sent, the cybercriminals conducted research to learn about the Wisconsin company’s main suppliers. After selecting one to impersonate, they found out the name and email address of the supplier’s credit manager. The cybercriminals also created a fake corporation supposedly located in Florida and opened several accounts for it at banks in Miami and abroad. Then, masquerading as the supplier’s credit manager, the scammers sent an email to the Wisconsin business’s accounting manager. They requested that all invoice payments be sent to the supplier’s international account rather than the usual account due to problems with the latter. The Wisconsin business’s accounting manager responded, noting that he would not be able to send money to an international account. The scammers wrote back, saying that he could instead send the payments to the Miami bank account. The accounting manager authorized a payment of more than $1.6 million to that account. Fortunately, all but $8,000 of the $1.6 million was still in the account when the scammers were arrested so the Wisconsin business got its money back. Getting the money back is unusual, though.
Many other companies were also swindled out of large amounts of money or data, including:
How to Protect Your Company from Whaling Attacks
The number of whaling attacks will likely keep increasing since whaling is a lucrative business for cybercriminals. Here are some ways you can protect your business from these scams:
If you would like more recommendations on how to protect your business from whaling and other types of phishing attacks, contact us.
Avoid Scams flickr photo by Infosec Images shared under a Creative Commons (BY) license