Whaling Attacks | PDSC Advice Guides

Whaling attacks

Whaling is a form of social engineering. It targets the “big fish” – board directors and senior executives who have access to the most secretive or commercially sensitive information within their organisations which enable the cyber criminals to target the biggest rewards.

Social engineering is the psychological manipulation of people into performing actions or divulging confidential information.

Whaling attacks can be more sophisticated than other social engineering attacks as the cyber criminals typically use techniques that exploit the secrecy, sensitivity and urgency of an important project or the access that their executive targets have to confidential and sensitive information.

What can be the impacts to your business?Financial LossData Loss and Regulatory FinesReputational Damage

Examples of Whaling attack techniques

  • Email with an invoice demand, followed by a phone call to warrant the request.
  • Email, phone call or social media message “innocently” researching the organisation designed to gather information that can be used to inform a more sophisticated whaling attack. This information can be used, for example, to contact senior execs with relevant reference to other colleagues and members of staff or pertinent internal projects for added effect.
  • The cyber criminal identifies when the CEO is on holiday via social media and takes advantage by sending a fake email (masquerading as the CEO) to a junior member of the finance department, requesting an urgent transfer of money. Referencing the holiday and implying they do not wish to be disturbed can make the request plausible and likely to be actioned without question.

What you can do

  • Whaling clearBe vigilant!
  • Be wary of poor grammar and spelling
  • Check the sender email address/phone number
  • Hover the cursor over links to check a valid sender URL
  • Any request that is demanding an immediate or urgent response – Call and speak to a known contact to verify the content of the email
  • Identify any unusual greeting, tone, use of words and phrases or structure in emails you receive
  • Look for images that contain a text box
  • Watch out for low-quality versions of recognisable logos
Whaling attacks