GlobalSign Blog

What is Whaling and How Can Your Business Combat This Form of Attack?

What is Whaling and How Can Your Business Combat This Form of Attack?

If you don’t have the right online security measures in place, you risk your business falling victim to an attack like whaling, which usually results in a financial loss, stolen customer information, or cybercriminals accessing pertinent business systems or software.

Specific prevention and maintenance techniques, knowledge of the basics of whaling, and understanding its similarities and differences from other phishing schemes can prevent significant losses associated with this form of attack. Let’s discuss what whaling is and how it differs from other common phishing attacks. We’ll then give you actionable tips on how to combat whaling.

What is whaling?

Whaling is becoming more common because it specifically targets company leaders with exclusive access to some of the most protected information in the company. Let’s answer a few key questions regarding whaling to better understand why it’s such a significant cybersecurity threat.

What is whaling?

Whaling is a form of phishing where criminals pretend to be high-level leaders within an organization to obtain cash, customer information, and confidential business credentials. Whaling is primarily executed through email but can also be prompted through phone communication. Business owners, directors, and key personnel are the prime targets of this phishing tool.

Which businesses are most targeted by whaling?

Whaling is often deployed on businesses with poor online security efforts and those with loads of valuable customer and business information that could easily be used for identity theft purposes.

Hospitals, personal practice offices, and other healthcare-related businesses are common targets for cybercriminals. Medical facilities already lack funding, so there isn’t usually a budget to invest in the latest cybersecurity software and technology. This leaves them to use home-based or legacy operating systems and insecure internet browsers that are easy to infiltrate.

Financial institutions, payment services, cloud storage companies, file-hosting sites, online services, and eCommerce sites are also highly targeted for whaling.

Why whaling?

The individuals targeted in a whaling scheme have a high level of responsibility, trust, and access within their respected companies. For cybercriminals, it's worth the time and effort needed to gain the trust of these individuals because the results could be access to thousands of people’s personal information, payment information, or business records.

The difference between whaling and other phishing attacks

In addition to whaling, businesses have to be on guard for other phishing attacks that could infiltrate their operation. Whaling is under the umbrella of phishing, utilizing similar techniques of other phishing attacks to execute digitally enabled fraud. The most common type of phishing is mass-market email phishing where someone sends an email that appears to be from a trusted sender to trick the recipient into doing something, usually logging into a website or downloading malware.

Vishing is another phishing technique that uses the phone, asking the person on the other of the receiver to call a number and enter their account information, PIN, social security number, or other personal information for official purposes. BEC or business email compromise is another one that specifically targets high-value victims and organizations with email fraud.

Although these attacks all frequently rely on email spoofing, website duplication, and/or phone communication, whaling requires a more sophisticated cybercriminal because the target is highly-successful company leaders that usually require a bit more “convincing,” so to speak, to participate in a phishing scheme. Whaling emails and/or phone calls usually:

  • Contain personalized information about the targeted organization or individual that convinces them it’s someone they know.
  • Convey a sense of urgency, but with that urgency, a solution to ease it like initiating a wire transfer, providing a password, or software login credentials.
  • Are crafted with a solid understanding of business language and tone to further the facade they are a high-level employee, CEO, or company leader.

3 ways to protect your business from whaling

It’s important to implement actionable tips to protect your business from whaling. Here are 3 ways to protect your business from whaling right now:

Back up all of your important business information

Preparing your business for a cyber attack starts with organization. Having a system for backing up all of your important business information will not only help to prevent a cyber crisis, but it can help to mitigate the damages if you ever experience one.

For example, whaling attacks can cause significant financial damage. A detailed profit and loss statement allows you to keep a close eye on your finances and spot discrepancies faster than if your financial records aren’t detailed, organized, and secure. It would also be beneficial to create an incident response plan for cybersecurity attacks to ensure you have a process to adhere to after notification of a breach that ultimately prevents huge data and financial losses.

Provide extensive cybersecurity training

Owners, employees, and company leaders should be trained adequately in the importance of cybersecurity and their respective roles in preventing breaches. With so many companies going remote recently, it’s increasingly important each individual knows their roles in minimizing the margin of error that cybersecurity threats have to grow in.

You should train your staff to recognize common social engineering techniques, to not open unfamiliar emails, or click on any links or open any documents they aren’t sure about. Explore conducting regular threat assessment workshops to ensure employees can successfully recognize these cybersecurity threats.

Refrain from using public networks and Wi-Fi

Computers and devices connected to a public network are vulnerable to cyber attacks. Spyware that log keystrokes allow cybercriminals to access any confidential business, personal or customer information shared on these networks.

An extra layer of protection for your business would be to only connect to secured networks such as your office or home Wi-Fi to perform business functions.

Whaling is one of the most dangerous phishing schemes out there for your business. Invest in top-tier cybersecurity and encryption technology, refrain from using public networks and Wi-Fi, back up all of your important business information, and provide adequate training about cybersecurity for your staff. Understanding whaling and how you combat this form of attack will set your business up for success online.

Note: This blog article was written by a guest contributor for the purpose of offering a wider variety of content for our readers. The opinions expressed in this guest author article are solely those of the contributor and do not necessarily reflect those of GlobalSign.

Share this Post

Recent Blogs