AbleToTrain by Willing & Able

What is a whaling attack?

What is whaling fishing? Whaling is a strategic phishing attack targeting prominent executives disguised as legitimate email. Attackers can extract information from their targets that can help them access sensitive areas, passwords, or other user information on the network.

Whaling attacks can occur quickly, but are often carried out over weeks or months. When a seasoned user interacts with an attacker, the attacker’s goal is to establish true trust in the target. If the attack is taken to the next level too quickly, the target can be suspicious. However, if the attacker slowly proves himself to be himself, the target may have no problem leaking sensitive information.

How the whaling attack works

Whaling attacks can begin with communications in a manner used by both the impersonator and the target. This is an email or office SMS message over the internet. When an attack is launched, there may be no reason for the attacker to suspect the attacker’s ID. This is because the attacker could have the same username as the targeted employee. In some cases, the email address may be fake, but it looks credibly legitimate.

An attacker could first attempt to break into the email account of the person using to obtain the whale. Once inside, they can start emails that help build trust. This may need to include details about the life of a whale that a disguised employee knows. This kind of information can be easily collected from social media.

For example, an attacker may find that a victim recently obtained a new puppy and posted it on social media. Then you can scroll down to last year’s Christmas party to see that there was a huge cake. You can combine both pieces of information to create a seemingly innocent and fairly knowledgeable email. “Hey, this cute puppy is getting bigger. If he was there last Christmas, he would have eaten all the cake! Lol !!!” Due to the detailed nature of the email, the whale can’t suspect that the attacker is forging his identity.

Once trusted, an attacker could attempt to obtain sensitive information from a whale. For example, “Yes, I’m traveling, but I don’t have a VPN login.” Listen, I have saved these blueprints on my laptop, but now I am using a mobile phone. Send me fast. Can you get it?” Whales believe the message is legitimate, so they can relay the information.

Whaling vs. Phishing vs. Spear Phishing

Even though whaling, phishing, and spear phishing are all forms of phishing, they have distinct differences.

Phishing involves making someone to reveal confidential information through an electronic mean of communication. For example, the target may get an email from what appears to be a trusted source. Email may argue that the target needs to act quickly to fix the problem. To do this, you need to click the link in the email. Clicking this link will take you to a fake website that seems legal. It may contain logos and fonts used on the actual website you are trying to imitate. The website prompts the victim for their credentials. Inforamtion entered ends up with attacker who now can access to victim account. This could be done with important accounts like, financial, banking, medical accounts, etc. After access to account is secured, a criminal may transfer money to his own account.

Spear phishing is much like phishing, but it more individualized and focused on particular victim. A phishing attack may include sending out the same or similar communication to larger number of people. An attacker could also use the details associated with the target’s ID to make the communication look more legitimate.

For example, if an attacker finds someone using an ATM in a particular location, that activity can be included in the email. “When I used the Chestnut Hill ATM on Globe Street yesterday at 12:07 pm, I determined that my card information might have been copied from my card skimming device. Log in to your account and change your password. Click here. ”

When the victim logs in, enter the existing credentials collected by the attacker. If you change your password, nothing really happens. An attacker could even attempt to actually change the password with the correct credentials.

Whaling is similar to spearfishing in that it is a targeted attack. However, it is not the same as an attacker pretending to be a victim’s employee in order to gain the victim’s trust. The act of impersonating someone the victim knows distinguishes it from spearfishing and phishing.

Protect yourself from whaling attacks

The first step in protecting you and your organization from whaling attacks is to identify all potential targets and targets that may be used to gain access to them. This can affect most of your business, so it’s a good idea to include discussions on how to avoid whaling attacks during training for other types of phishing threats. Avoiding the whaling attack begins with a rethink. When you read someone’s email, you need to ask yourself if you expected to be contacted by that particular person. Also, consider not only the content of the email, but also its content, the use of punctuation and emoji, and any other strange points in the email.

In some cases, it is very clear that you are being attacked. For example, if an email address is plausible, but not a common email address that the person uses, that’s a clear sign. For example, be careful if the person normally uses the email account but receives an email from If there is no reason to give Mark another email address, it could be fake. If the email has a meaningful name, but it comes from outside your organization, it can also be a sign of danger.

In addition, readers need to be careful about what they post on social media. Details about their lives can be used to launch a whaling attack. If you receive an email stating that a senior member of your organization has posted on social media, this may be an attempt to gain credibility in preparing your request for information.