What is whaling? How CEO fraud works and how to prevent it

What is whaling? 

Whaling, also known as CEO fraud, is a type of spear-phishing attack that targets specific high-profile individuals: typically board members or those with access to corporate bank accounts. 

As with other phishing attacks, whaling aims to con victims into downloading malware, transferring money, or parting with sensitive or confidential information by using emails that purport to be from legitimate senders. 

Phishing, spear phishing or whaling? 

As I explained in my blog post, What is spear phishing? How it works and how to prevent it: 

  • Phishing emails are haphazard in approach, are sent at random to large databases of contacts and rely on the sheer weight of numbers for success. 
  • Spear phishing is a subset of phishing that, instead of casting a wide net, relies on focused emails to reel in specific recipients – whether particular organisations or individuals. 
  • Whaling is a further subset that targets the Moby-Dicks of the business world, to continue the piscine analogy. (I know cetaceans aren’t fish.) 

  

The relationship between phishing, spear phishing and whaling

Examples of whaling attacks 

Whaling inevitably reaps far greater rewards for successful attackers and has been instrumental in numerous large-scale incidents:  

  • In 2016, a Snapchat employee fell for a whaling attack and revealed colleagues’ payroll information. The company said it was “impossibly sorry” for the incident. 
  • Walter Stephan, the CEO of the Austrian aircraft parts manufacturer FACC Operations GmbH, was sacked in 2016 after he fell for a whaling attack that cost the company €41.9 million. 
  • Staff sued the data storage giant Seagate after its HR department revealed its current and former employees’ W-2 tax forms following a whaling attack. 

How to prevent whaling 

Although the point at which spear phishing becomes whaling is not rigidly defined, it doesn’t really matter: both require layered defences that combine technical measures with staff training. 

As with so many other spear-phishing emails, attackers try to create a sense of urgency when carrying out whaling attacks so that victims comply with their wishes. 

Find out more by reading my blog post, 5 ways to mitigate social engineering attacks >> 

Infographic 

For more pointers on how to avoid phishing attacks, take a look at our phishing infographic >> 

E-learning solutions 

Our courses will increase staff awareness of the threat of social engineering attacks. 

Phishing Staff Awareness E-learning Course 

This course will help your staff identify and understand phishing scams, as well as explaining what could happen if they fall victim and how to mitigate the threat of an attack. 

Find out more about our Phishing Staff Awareness E-learning Course >> 

Phishing and Ransomware Human Patch E-learning Course 

This ten-minute interactive e-learning course introduces phishing and ransomware to employees and explains what they need to be aware of to avoid falling victim to future incidents. 

Find out more about our Phishing and Ransomware Human Patch E-learning Course >> 

Information Security Staff Awareness E-learning Course 

This interactive e-learning course helps employees learn about the most important elements of information security. It teaches them how to avoid becoming a security liability and provides basic knowledge of information security best practices to minimise preventable mistakes. 

Find out more about our Information Security Staff Awareness E-learning Course >> 

Information Security and ISO27001 Staff Awareness E-learning Course 

Give your staff a better understanding of information security risks and ISO/IEC 27001:2013 compliance requirements to reduce your organisation’s exposure to security threats. 

Find out more about our Information Security and ISO27001 Staff Awareness E-learning Course >>