Big Game Phishing: ‘Whaling’ the C-Level Target

We live in a world where, when using the word “fishing,” it is necessary to clarify whether it is the form that starts with an “f” or a “ph.” Ponder that for a moment — although maybe it’s only disturbing to the English majors among us. It shouldn’t be though, because although spelling-related issues are fairly specific, the existence of phishing affects everyone.

The word and concept of phishing are not new, relatively speaking. According to Computerworld:

“The word phishing was coined around 1996 by hackers stealing America Online accounts and passwords. By analogy with the sport of angling, these internet scammers were using email lures, setting out hooks to ‘fish’ for passwords and financial data from the ‘sea’ of internet users. They knew that although most users wouldn’t take the bait, a few likely would. … Hackers commonly replace the letter f with ph, a nod to the original form of hacking known as phone phreaking.”

As is true of the more traditional form of fishing, when it comes to phishing, the bigger the target the better. Everyone wants to hook a monster, after all — why go for a minnow when you can target a marlin? And best of all is the biggest, the most elusive — the one with the keys to the kingdom. In other words, “whaling.”

Let’s back up a moment though and add one more term to our vocabulary: “spear-phishing.” As the name implies, this is a targeted phishing attack that may have been made possible by prior security breaches that allowed the phisher to gather company data, such as usernames or information on real projects in progress at the company. This information allows spear phishers to develop authentic-sounding email messages addressed to a specific user and referencing company-specific information. (Worth noting, as well, is that not all spear-phishing information necessarily comes from security breaches — think of the publically available information on social networks like Facebook or LinkedIn). Spear phishing is more effective than generic phishing because of that specific nature; the attacks are much more believable and are likely to try to direct the recipient to perform a seemingly innocuous action. But the attack is only as effective as the recipient’s level of access, which is why the bigger the fish, the better the results for the hacker.

A whaling attack, then, seeks as its targets those who hold the most power in companies. An ideal target for a whaling attack would be CEO, CFO, CIO or another executive with access to sensitive data. As with a phishing attack, a whaling attack attempts to trick the executive into revealing personal or corporate data.

Once this has happened, a domino effect is created and the results can be disastrous. Data loss prevention firm DigitalGuardian outlines an example that illustrates just how deadly whaling can be: “[In March 2016 an] executive at Seagate unknowingly answered a whaling email that requested the W-2 forms for all current and former employees. The incident resulted in a breach of income tax data for nearly 10,000 current and former Seagate employees, leaving those employees susceptible to income tax refund fraud and other identity theft schemes. Seagate notified the IRS of the data breach.”

This was not a non-tech savvy, low-level employee clicking on a malicious link. This was a high-level executive at a high-tech company. How can it happen? DigitalGuardian notes, “Because of the high returns that cybercriminals can gain from whaling attacks, attackers spend more time and effort constructing the attack to seem as legitimate as possible.”

So what is the solution? User education is key, and there is no coddling the C-level when it comes to this — everyone must be made aware, and it’s also an incorrect assumption that only unsuspecting or non-tech-savvy users are susceptible. A study done by researchers at Germany’s Friedrich-Alexander University (FAU) showed more than half of email recipients and 40 percent of Facebook users clicked on links from unknown senders, and most of these users were not unaware of the potential consequences of their actions; 78 percent had answered a questionnaire prior to the study saying they were aware of the risks of unknown links. When asked why they clicked, most said it was due to curiosity. Curiosity, clearly, kills more than cats — it can destroy an entire company if proper measures are not enacted.

In a June 2017 Imaging Channel article, Konica Minolta’s Andreas Krebs noted that “a disturbingly small fraction of businesses take action to minimize a perceived lack of cybersecurity training on their employees’ part. Companies may be loath to allocate the right amount of resources, believing that spending on training fails to provide a significant return on investment. According to the Pew Research Center, only 50 percent of a representative sample of employees could answer a list of basic cybersecurity questions, and less than half of companies provide any cybersecurity training (as found by an Experian/Ponemon Institute study) and more than half don’t retrain employees after a data breach occurs.”

Clearly education is key, but more importantly, education for everyone is key. Senior executives should not be — cannot be — exempt from security education and even more critical is ensuring they understand how very specifically they may be targeted and how dire the consequences of that targeting may be for entire companies.

With great power comes great responsibility, and never has that been truer than in the digital, connected age. Every employee at a company can carry the keys to the kingdom in their hands, but the highest-level executives are also at the highest risk. Is your CEO prepared?

is BPO Media and Research’s editorial director. As a writer and editor, she has specialized in the office technology industry for more than 20 years, focusing on areas including print and imaging hardware and supplies, workflow automation, software, digital transformation, document management and cybersecurity.