Imagine you're a cybercriminal who wants to make a large score by aiming for the top. You have exceptional phishing skills, had a few successes by sending out thousands of bogus emails, and now you want to try to make a big catch. You know exactly what type of person to target. What bigger catch is there for a cybercriminal than convincing a company to wire you millions of dollars?
Whale phishing involves scamming the most high-profile targets possible, often for direct financial gain in the form of a wire transfer or to gain access to a wealth of company data that can be sold on the dark web. It differs from traditional phishing attacks primarily in scale and targeting: Most phishing attacks target hundreds or thousands of people at once, generally anyone with an email account. But whale phishing is much more focused, specifically aiming for top executives in charge of money transfers and company information.
Phishing, spear phishing, and whale phishing definitions
To comprehend whale phishing, you first have to understand how it differs from standard phishing and spear phishing attacks.
Phishing attacks, as previously mentioned, are largely impartial, targeting wide masses of people. This type of cyberattack involves trying to gain information from an unwitting victim by sending them an email that asks them to do something, such as click on a link, provide information or download an attachment. This is one way cybercriminals can gain access to your private data. A cybercriminal doesn't expect every one of these emails to succeed, but they don't have to. As long as a small portion — even one or two — of those phishing attacks garners some information, it's a success.
When a cybercriminal knows whom they wish to target, they use spear phishing. Spear phishing is a phishing attack aiming for a specific individual. These emails require a little more effort to craft, and the bad actor will do research ahead of time. For example, while a standard phishing attack might read "Dear customer," or some other vague address, a spear phishing attack will use their real name. The email might include their actual phone number and appear to be from a friend, family member or boss. Because it contains information that the target believes only certain people would know, it looks far more legitimate. This type of phishing attack has much less reach than a traditional attack, but it can also be vastly more effective.
Whale phishing is simple: a spear phishing attack targeting a big-name target. These are the most sophisticated types of phishing attacks because the cybercriminal who crafted it has done extensive research on the target and determined the most effective way they can get the big-ticket data from the subject. These are often a business owner, cybersecurity executive, government official or someone else with valuable information.
Mattel: A notable example of whale phishing
In April 2015, a Mattel finance executive received an email requesting a vendor payment of $3 million to a Chinese bank. Such requests were not uncommon at the time at Mattel because the corporation was expanding into other nations, including China. Initially, the executive didn't see anything amiss about the email, but they still went through the motions of checking to make sure it was legitimate. This included requiring approval from two high-ranking managers in the company. She was one of them, and the other was the CEO, who was mentioned in the email. The transfer was approved, and the money was wired to the Bank of Wenzhou. Normally, this would have meant that Mattel was out $3 million. However, the company was fortunate in the timing of the mistake; May 1st was a Chinese banking holiday, giving Mattel a full day to act, and they ultimately recovered the lost funds.
The cybercriminal(s) responsible for this did all of their homework before crafting this email. They mined social media to discover the names of vital individuals within the company. Then they did research into company operations to find out how to best mimic a genuine request. Finally, they used a compromised corporate email to send the message. All of this was combined to craft an email that looked virtually identical to an actual one. Since a real corporate email was used, there was no way to know that the sender wasn't the same person who owned the email.
The Captain Ahabs of cybercrime are on the rise
According to the 2021 Cost of Phishing Report published by Proofpoint, large companies in the U.S. are losing an average of $14.8 million every year to phishing attacks, or $1,500 per employee. This is a huge increase from when the study first began in 2015, when the average loss was $3.8 million. Clearly, phishing attacks are on the rise, and they're getting more sophisticated and convincing as cybercriminals discover newer and more effective tactics to get past security measures.
Cybercriminals dream of making big scores through whale phishing. Help protect yourself from phishing attacks by being aware of common features they tend to have.