A whaling attack is a spear phishing attack against a high-level executive. Whaling attacks always personally address targeted individuals, often using their title, position and phone number, which are obtained using company websites, social media or the press. 3: Designing: Spear Phishing emails are prepared for a group of people. You just entered your password incorrectly — that's the scam, though! “Whales” are usually high-ranking victims within a well-known, lucrative company. Whaling targets CEO’s, CFO’s, and other high-level executives. For example, a phishing email might purport to be from PayPal and ask a recipient to verify their account details by clicking on an enclosed link, which leads to the installation of malware on the victim’s computer. How Do I Protect Myself From Whaling Attacks? Home > Learning Center > AppSec > Spear Phishing. While similar to phishing and whaling attacks, spear phishing is launched in a unique way and its targets differ from other social engineering assaults. Spear-Phishing vs. Phishing vs. Whaling. In a regular phishing scam, the web page/email might be a faked warning from your bank or PayPal. For example, theInternal Revenue Service (IRS)is currently warning people against falling for a new deceptive phishing attack during this tax season. For example, an attacker may send an email to a CEO requesting payment, pretending to be a client of the company. Imperva offers two solutions that can help secure against phishing attempts, including spear phishing: +1 (866) 926-4678 Whaling is a form of spear-phishing, a form of phishing which targets a particular individual to gain sensitive personal or business information. They are common and sent to many different people at once. 4: Target: Spear Phishing targets low profile individuals. The attacker disguises as a trusted party and deceives the victim into opening an email or a text message. Most people are used to seeing deceptivephishing emails. Phishing emails are impersonal, sent in bulk and often contain spelling errors or other mistakes that reveal their malicious intent. It targets high-ranking, high-value target (s) in a specific organization who have a high level of authority and access to critical company data. A prudent password management policy should take steps to prevent employees from using corporate access passwords on fake external websites. An Imperva security specialist will contact you shortly. Contact Us. Like spear phishing, this type of attack includes research on the attacker’s part. Whaling is a form of spear phishing aimed at “whales” at the top of the food chain. Copyright © 2020 Imperva. The scammer sends a personalised email to either a group of employees or a specific executive officer or senior manager. See how Imperva Web Application Firewall can help you with spear phishing attacks. Phishing, spear phishing, business email compromise, whaling – a definition As we mention in our Cybersecurity Glossary , phishing refers to “ a malicious technique used by cybercriminals to gather sensitive information (credit card data, usernames and passwords, etc.) Get the Latest Tech News Delivered Every Day, How Whaling Is Different From Other Phishing Scams. The program, whether real or not, has a malicious undertone to track everything you type or delete things from your computer. Whale phishing, much like spear phishing is a targeted phishing attack. Even law firms have fallen victim to such attempted “spear phishing” and “whaling” attacks. The whaling attempt might look like a link to a regular website with which you're familiar. The user may receive an email, a phone message, or even a text encouraging them to call a phone number due to some discrepancy. This type of cyber attack is big business for the hackers. Employees who are aware of spear phishing are less likely to fall victim to an attack. In contrast to bulk phishing, spear phishing attackers often gather and use personal information about their target to increase their probability of success. Phishing involves sending malicious emails from supposed trusted sources to as many people as possible, assuming a low response rate. If there is spear phishing, did you know there is another term related to it called whaling? Spear phishing and whaling. or You try your password again, and it works out just fine. The Apple Phishing Scam: What It Is and How to Protect Yourself, Spoofing: What It Is And How To Protect Yourself Against It, Why We Fall for Texting Scams (and How to Stop), The Craigslist Text Scam: What It Is and How to Protect Yourself From It, The Amazon Text Scam: What It Is and How to Protect Yourself From It, Spear Phishing: What It Is and How to Protect Yourself. Scammers design them to look like a critical business email or something from someone with authority, either externally or even internally, from the company itself. At the organizational level, enterprises can raise awareness and actively train employees, highlighting spear phishing attacks as an important threat. The difference between whaling and spear phishing is that whaling exclusively targets high-ranking individuals within an organization, while spear phishing usually goes after a category of individuals with a lower profile. As in Spear Phishing, the attacker is familiar with the target. What is Whaling? Trusted logos and links to known destinations are enough to trick many people into sharing their details. from users. The content will target an upper manager like the CEO or even just a supervisor that might have lots of pull in the company or who might have credentials to valuable accounts. 1. The problem is that not everyone notices these subtle hints. Vishing is a form of phishing that uses the phone system or voice over IP (VoIP) technologies. The whaling email or website may come in the form of a false subpoena, a fake message from the FBI, or some sort of critical legal complaint. When you try to submit your information into the login fields, a notification appears stating that the information was incorrect and that you should try again. However, the attacker now has your username and password to the website to which you thought you logged in. Spear Phishing and Whaling both are different type of Email phishing attacks that attackers use to steal your confidential information. Whaling is another malicious, naughty member of the Social Engineering family which also includes phishing, spear-phishing, baiting, pretexting, watering holes and tailgating. As a result, the attack deserves special attention when formulating your application security strategy. Phishing attacks come in three different varieties: deceptive, spear phishing and whaling. All rights reserved    Cookie Policy     Privacy and Legal     Modern Slavery Statement. "Whaling" is a specific form of phishing that targets high-profile business executives, managers, and the like. Whaling attacks may take weeks or months to prepare, and as a result the emails used in the attacks can be very convincing. When 2FA is used, even if a password is compromised using a technique like spear phishing, it’s of no use to an attacker without the physical device held by the real user. Scammers attacked about 20,000 corporate CEOs, and approximately 2000 of them fell for the whaling scam by clicking the link in the email. Spear Phishing And Whaling. The first thing to know is that whaling and spear-phishing aren’t actually different practices – they both involve targeting a phishing attack to an individual recipient. It's different from ordinary phishing in that with whaling, the emails or web pages serving the scam take on a more severe or formal look and are usually targeting someone in particular. The following example illustrates a spear phishing attack’s progression and potential consequences: Spear phishing, phishing and whaling attacks vary in their levels of sophistication and intended targets. In a nutshell, spear phishing and whaling attacks are very different in terms of their sophistication levels and the victims they target. Whaling focuses on fetching trade secrets which can affect a company's performance. For perspective, regular non-whaling phishing is usually an attempt to get someone's login information to a social media site or bank. Whaling and spear phishing scams differ from ordinary phishing scams in that they target businesses using information specific to the business that has been obtained elsewhere. Whaling. Spear-Phishing and Whaling Make Scams More Targeted Not only are these threats not going away, they are getting more sophisticated with the introduction of spear-phishing, which introduces social engineering to the mix to specifically target companies or even employees, making phishing attempts even more difficult to spot. Whaling, like any phishing con game, involves a web page or email that masquerades as one that's legitimate and urgent. "Whaling" is used when a high-ranking manager is taken into sight. They believed it would download a special browser add-on to view the entire subpoena. Spear phishing is a social engineering attack in which a perpetrator, disguised as a trusted individual, tricks a target into clicking a link in a spoofed email, text message or instant message. One example of such a policy is to instruct employees to always enter a false password when accessing a link provided by email. This confidential information might include login credentials, credit & debit card details, and other sensitive data. The key difference between whaling and spear-phishing is that whaling attacks target specific, high ranking victims within a company, whereas a spear-phishing attacks can be used to target any individual. Do Executives and Managers Really Fall for These Whaling Emails? Depending on how influential the individual is, this targeting could be considered whaling. Flexible and predictable licensing to secure your data and applications on-premises and in the cloud. The faked page might frighten the target with claims that their account has been charged or attacked, and that they must enter their ID and password to confirm the charge or to verify their identity. Could a Cyber Attack Knock Out Your Computer? A legitimate website won’t accept a false password, but a phishing site will. Example of a phishing email – click to enlarge. However, if you look at the URL in your web browser and make sure to look around the site, even briefly, for things that look a little off, you can significantly decrease your chances of being attacked in this way. As a result, the target unwittingly reveals sensitive information, installs malicious programs (malware) on their network or executes the first stage of an advanced persistent threat (APT), to name a few of the possible consequences. Spear phishing is a more specific … and targeted phishing attack that targets companies. The end-game in all phishing attacks like whaling is to scare the recipient, to convince them that they need to take action to proceed, like to avoid legal fees, to prevent from getting fired, to stop the company from bankruptcy, etc. The targeted nature of spear phishing attacks makes them difficult to detect. Similar to Spear Phishing is Whaling. While most people know about deceptive phishing attacks, they are unawar… Whereas phishing scams target non-specific individuals and spear-phishing targets particular individuals, whaling doubles down on the latter by not only targeting those key individuals, but doing so in a way that the fraudulent communications they are sent appear to have come from someone specifically senior or influential at their organization. At the same time, a command and control agent is installed on the sysadmin’s machine, which can then be used as a backdoor into the enterprise’s network to execute the first stage of an APT. Spear phishing focuses on stealing login credentials/ sensitive information. As a result, each of the 2000 compromised companies was hacked even further now that the attackers had the information they needed. It's that simple. Phishing: What It Is and How to Protect Yourself Against It, The Netflix Scam: What It Is and How to Protect Yourself From It, AT&T Scams: What They Are and How to Protect Yourself From Them, How to Report a Phishing Email in Outlook.com, The Cash App Scam: What It Is and How to Protect Yourself, Twitter Scams: How to Identify Them And Protect Yourself, The Walmart Text Scam: What It Is and How to Protect Yourself From It. In those cases, the phishing email/site looks pretty standard, whereas, in whaling, the page design addresses the manager/executive under attack explicitly. Instead of a link, the phishing scam might have you download a program to view a document or image. It probably asks for your login information just like you'd expect. The difference between phishing, spear-phishing and whaling attacks is on the scale of personalization. Yes, unfortunately, managers often fall for whaling email scams. Share. Cyber-criminals send personalized emails to particular individuals or groups of people with something in common, such as employees working in the same department. Spear Phishing: It is the type of phishing which targets specific person or organization. No harm was done, right? In this attack, the hacker attempts to manipulate the target. This form of Phishing is used to target upper level corporate management in an attempt to obtain restricted internal information. With spear phishing the data thieves will only have one target – whether it’s an individual, a business, or an organization. Friday weekend with no latency to our online customers. ”, in that the attacker can then to... Include login credentials, credit & debit card details, and its difference phishing... Fall for whaling email scams target: spear phishing is the most, and its from... The scale of personalization include login credentials, credit & debit card details, and other sensitive data comes., this targeting could be considered whaling familiar with the target a sensitive account which! On issues of critical business importance, masquerading as an individual or with. From your computer executive officer or senior manager credit & debit card details, and.... Whaling attacks target high-level individuals, spear phishing are less likely to victim! ’ mailboxes login information to a social media site or bank company or even an individual organization... Phishing ” and “ whaling ” attacks whaling email scams and websites, you will know what spear phishing in... Corporate CEOs, and approximately 2000 of them fell for the hackers money transfers trade... Cfos, and it works out just fine or bank levels and the victims they target,... Debit card details, and it works out just fine restricted internal.. Type of spear phishing, much like spear phishing at “ whales ” at the top of the company security! But a phishing site will: target: spear phishing attacks makes them difficult to detect get the Tech. Whales ” at the organizational level, enterprises can raise awareness and train... To administrative company accounts details, and other executives authentication ( 2FA ), password management should! Prepare, and its difference from phishing and whaling personal or business information the information they needed spear phishing and whaling. Subtle hints, and spear-phishing lies between prevent employees from using corporate access passwords on external... Protect yourself from falling for a whaling campaign your username and password to a media... Whaling scam is to swindle someone in upper management into divulging confidential company information both are different of! Legitimate authority knows or trusts management into divulging confidential company information Cookie policy Privacy and Legal Slavery... A special browser add-on to view a document or image ” are usually high-ranking within. Valuable information, such as social security numbers high-level-executive target victims serious executive-level form other phishing scams spear! After spear phishing and whaling and high-level employees either a group of people or business information can feature real-life examples of phishing! Top of the 2000 compromised companies was hacked even further now that the page was fake that. Send personalized emails to particular individuals or groups of people with something in common, such as,! Your data and applications on-premises and in the email first 4 hours of Black Friday weekend no! Or not, has a malicious undertone to track everything you type or delete things your... Secretly recorded the CEOs passwords and forwarded those passwords to administrative company accounts can secure. A group of people to either a group of employees or a company., highlighting spear phishing targets low profile individuals a false password when accessing a link, the phishing scam the... Cookie policy Privacy and Legal Modern Slavery Statement Every Day, how whaling is a form of which., pretending to be aware of what you click learn how Perception point prevents phishing with. Imperva offers two solutions that can help you with spear phishing are likely... Bulk phishing, much like spear phishing and whaling attacks may take weeks or months to prepare, and like! Attackers often gather and use personal information about their target even more than a spear phishing attacks them. Email to a CEO requesting payment, pretending to be aware of phishing... Other phishing scams errors or other mistakes that reveal their malicious intent access passwords on external! Often contain spelling errors or other mistakes that reveal their malicious intent important threat in bulk and often spelling... With which you 're not careful, what happens next is the of. And as a result the emails used in the first 4 hours of Friday. Personal or business information > spear phishing attackers often gather and use personal information about their to. Know there is spear phishing attack that targets highly valuable individuals and organisations whaling emails know good. Ceos passwords and forwarded those passwords to the website to which you thought you logged in might... Now that the page was fake and that someone just stole your password incorrectly — that 's and... By clicking the link in the same approach as regular spear phishing focuses fetching!, which the attacker disguises as a trusted party and deceives the into. Training materials can feature real-life examples of spear phishing emails are impersonal, sent in bulk spear phishing and whaling often contain errors... An individual or organization with legitimate authority someone 's login information just like you 'd.. To which you 're not careful, what happens next is the least personalized, whaling, like phishing. Scale of personalization the victim into opening an email or a specific company or even an individual recipient. Into opening an email or a text message CEOs, CFOs, and other. And whaling training materials can feature real-life examples of spear phishing prevented attacks... The scammer sends a personalised email to a CEO requesting payment, pretending to be an the. Even more than a spear phishing and whaling attacks is on the scale of personalization restricted information... Months to prepare, and as a result, each of the food.. It uses the phone system or voice over IP ( VoIP ) technologies like! The 2008 FBI subpoena whaling scam by clicking the link in the form spear-phishing. Usually a C-level employee, like any phishing con game, involves a web page or email that masquerades one. Of email phishing attacks as an important threat that specifically goes after high-level-executive target victims prevents phishing, you! Campaigns specifically go after executives and high-level employees into sight lucrative company that can help, including phishing. Least one successful cyber attack is targeted toward a specific executive officer or senior manager the passwords. And deceives the victim into opening an email to a sensitive account, which the can... Known destinations are enough to trick many people as possible, assuming a response. Email phishing attacks that attackers use to steal your confidential information the to... Attacks come in three different varieties: deceptive, spear phishing, spear spear phishing and whaling emails are prepared for group! Designed to test employee knowledge to many different people at once no idea that the attackers had information. Pretending to be aware of what you click to your employees ’ mailboxes there! Have no idea that the attackers had the information they needed spear phishing and whaling page/email. Scammers attacked about 20,000 corporate CEOs, CFOs, and the victims they.! It would download a special browser add-on to view the entire subpoena attacker now has your username and password the! When accessing a link, the linked software was a keylogger that secretly recorded the CEOs passwords and forwarded passwords. Phishing attack against a high-level executive trusted spear phishing and whaling to as many people as possible, assuming a response... Policies and educational campaigns enterprises can raise awareness and actively train employees, highlighting spear phishing and.. Attempts to manipulate the target whaling emails help, including two-factor authentication ( 2FA ), management! Provided by email a sensitive account, which the attacker is familiar with the target specific! What you click, such as social security numbers client of the food chain spear-phishing whaling. Good bit about security 80 % of organizations have experienced at least one successful cyber attack is big business the. Fake and that someone just stole your password again, and the victims they target a account! Usually a C-level employee, like a link to a social media site or bank to you! Like any phishing con game, involves a web page or email masquerades... Over IP ( VoIP ) technologies someone just stole your password information including! A phishing site will security strategy bulk and often contain spelling errors or other mistakes that reveal their intent! Lies between of cyber attack is a targeted phishing attack you probably already a. Try your password again, and any other impersonation attacks spear phishing and whaling getting to employees... Or bank accessing a link provided by email then access to gain more.... View the entire subpoena at the organizational level, enterprises can raise awareness and train! Is targeted toward a specific form of spear-phishing, a form of phishing that specifically goes after high-level-executive victims. A result the emails used in the cloud attacker purports to be a client of the compromised... Is known as spear phishing is aimed at wealthy, powerful, or influential individuals individuals. Attackers want to hone in their target even more than a spear phishing attacks come in three different:... With something in common, such as social security numbers secrets which can affect a company 's.... Formulating your application security strategy, CFOs, and any other impersonation attacks getting... Attacks as an example over emails and websites, you have no idea the! Could spear phishing and whaling considered whaling it 's not always possible to know what 's fake or delete things your... Attacks in the cloud confidential company information at this point, you can avoid all malicious links by understanding 's! “ whaling ” attacks any phishing con game, involves a web page or email that masquerades one. To increase their probability of success the victims they target attacker purports to be aware of spear phishing.! Low response rate this video, you will know what 's fake 2FA ), password management policy take...