What is Whaling in Cyber Security

We’ve all heard of Phishing, but what is Whaling?

Phishers, just like fishermen/women want the big prize. They could spend time getting smaller fish, or focus on the Whale.

If you reflect this to an organisation, your Whales would be executives or directors (c-level). Basically those higher up the org chart. Attackers do this as there is a possibility of gaining a better return.

A Phisher could focus their efforts on one or two employees, but their level of access or sensitive information may be low. If we are talking about a company executive, we can infer that based on their job role, they would have more access to sensitive information. Information that can be used for blackmail, or sold online.

Those accounts can also be used as a mechanism to phish others. If the attackers sent an email from the CEOs account with malicious links, due to who it’s from (CEO), users would be more likely to click attachments/links due to blind trust (They are the CEO).

Whaling isn’t just email. Whaling, like Phishing, can come from various platforms: Phone calls, Social media chat, SMS and in-person (Social engineering). The techniques are the same but a greater level of effort is put in, to convince the victim to do X.

How to fight against Whaling?

Phishing education will help but won’t be enough. Strong controls and incident response processes are needed to ensure your c-level employees aren’t compromised.

They also need to be a relationship with the Security team and let them know of any suspicious activity. This includes if they clicked a link they weren’t sure about. In some cases, c-level employees may hold back due to embarrassment however this only puts the org at risk. Embarrassment over Phishing needs to be removed as only the attackers win.

Phishers attack humans for a reason. We all have our bad days, or moments where we don’t think. We also have emotions and beliefs that may sway us. Attackers use this to their advantage, so it’s important to develop a culture where letting Security know that you’ve been tricked won’t be met with a “telling off”.

If you do go down the route of fear, with the assumption your users won’t want to be embarrassed, so will be more aware; you are wrong. We all make mistakes.

Obviously, you may get a slight telling off if you fall for them continually, however, this also highlights failures in controls and processes. It’s a balance, as with everything.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Create a website or blog at WordPress.com

%d bloggers like this: