The Growing Danger of Whaling Phishing Attacks

What is Whaling Phishing?

It feels like every week more and more people are telling me about how they became the victim of a phishing attack. 

It shouldn’t come as a surprise. Plenty of articles have been surfacing recently highlighting the fact that South Africa is a target for cyberattackers. And it’s easy to understand why as well. We’re lagging behind the rest of the world when it comes to our cybersecurity! It’s not our fault – we’re simply behind the curb. We have been slower to adopt the latest technologies, and we’re slower to understand the ways that they can be infiltrated. But we need to catch up, fast. Because ransomware and phishing attacks are real threats that cost companies hundreds of thousands, if not millions, of Rands. 

And if you’re reading this, thinking to yourself that you’re not at risk, that you’re secure enough, that you don’t have to worry, it’s time for a wake-up call. 

What is Whaling Phishing? 

A whaling attack is a type of phishing attack that specifically targets high-level executives and decision-makers in organizations. These attacks are designed to steal sensitive data such as financial information, login credentials, or confidential documents.

Where most phishing attempts do target thousands of people at a time, whaling phishing has a very specific target in mind. Whaling in cyber security involves tricking general employees isn’t going to give them the access that they need to cause real havoc (and get real pay-outs). They need to gain the trust of managers, directors and CEOs. With great power and authority comes the potential for great damage to be done. 

But those in higher positions within a business are often the most on-guard when it comes to their email security. They’re unlikely to click on dubious links from strangers. But they are far more trusting of those they do business with on a regular basis. And if an attacker were to successfully pose as, say, a manager from another department, or the CEO of a trusted vendor, and ask that banking details for the company get updated following their own phishing downfall, many business owners wouldn’t think twice about it. 

This is the aim of whaling phishing attacks. But how exactly do attackers manage to mimic their victims so successfully?

It’s Called Whaling Phishing 

One of the phishing scenarios that we dealt with recently was a customer who’d fallen victim to an attack. And the first thing he said to me when he called to tell me about it was, “Daniel, they sound just like us.” And they do! Here’s a quick breakdown of why. 

When most people think of phishing attacks, they think of mass spam emails sent into the ether of the internet. They think of wide nets that are cast out with the hopes of catching stragglers, knowing that the majority of the ‘fish’ will be smart enough to swim away. But that’s not what all phishing looks like. There’s a trend that is gaining in popularity known as ‘whaling phishing’ or ‘whale phishing’. 

I know. It sounds like a terrible pun taken a step too far. But bear with me. 

How Does a Whaling Attack Work? 

It all starts with a bit of research and social engineering. As I mentioned before, whaling phishing has specific targets in mind. So the first step would be doing a bit of research into the business itself – who the head honchos are, who the business is partnered with, and which vendors they use. From there, attackers take to social media to find information about the individuals that they can use to their advantage. That photo from the office Christmas party, the LinkedIn kudos for a job well done, those seemingly innocuous birthday posts on a Facebook profile, or the couple of photos from the last vacation you took that you thought was innocent enough to post online. Suddenly the attacker has an arsenal of details to work with that can help them gain your trust. 

And then they attack. Not in an obvious way – whaling phishing is all about the long haul and big payday! Sometimes an attacker sends an email pretending to be someone you know, from an address that is almost identical to the one that you’re used to. They’ll use the tidbits of information they’ve gathered so far to build on the existing trust between the two of you. 

“Hey, Steve. Hope you’re doing well and feeling rested after your holiday in Kruger. I seem to have misplaced Patricia’s cell number. Would you mind passing it along? Regards, Adrian” 

Note the subtle mention of the vacation that might have been gleaned from social media, the name-dropping of a colleague, the innocuous tone of the mail in general. Is there anything that would put you on guard if this came from someone you work with regularly? Would you even suspect whaling phishing? 

Sometimes an attacker will even manage to infiltrate the mailbox of someone you trust. And then they’ll wait. They’ll monitor the communication that comes in and goes out, waiting for the perfect opportunity to strike. An invoice that they can change the banking details on, for example. Nothing else would need to be adjusted – the email that was carefully crafted, the logos that go along with it, can all remain exactly the same, with just one small, but important, detail differing. 

So how is it that whaling phishing attackers sound like us? Because they’re using our language, the emails that we’ve already written, and are simply changing the address that it comes from, the account details that payments should go to. They’re becoming a man in the middle who has access to everything that comes in and goes out of your mailbox, and from there, they have all the power to compromise your business.

How Can You Protect Yourself Against a Whaling Phishing Attack? 

Now that you understand what they are and how dangerous a cybersecurity threat a whale phishing attack really is, let’s look at some simple steps you can take to avoid falling victim to them.

  • Multi-Factor Authentication

I cannot recommend this often enough. Put it in place for yourself. Put it in place for your employees. Put it in place for your family and friends. Get your vendors to put it in place. It is such a simple and effective solution to a huge problem! With MFA, it doesn’t matter if someone somehow gains access to your email password. They still won’t be able to do anything with it! It’s effective against so many different types of cyberattacks but can protect your mailbox against whaling phishing attackers using it as well. 

  • Training

Every one of your team members has a role to play in preventing whaling phishing attacks. Even if they’re not the direct target, if their mailboxes become compromised or if an attacker gains their trust, it can lead to a knock-on effect. Training your teams in what whaling phishing (and general phishing) attacks look like can see your company catching on early enough to prevent any serious damage being done. And if you’re using Microsoft, you may already have the perfect tool at your disposal for pinpointing where training is needed! Microsoft Defender for Office 365 lets you run simulations and see how your teams would react to malicious emails. 

  • Social Media Privacy

Social media can be an excellent tool for connecting with people, but it can also be a dangerous platform if the wrong information becomes available online. By making sure that you limit the information available on your public profiles, you are limiting the insight that potential attackers can gain and use to their advantage in a whaling phishing attack. This isn’t to say that you shouldn’t use social media at all – but be wary of the details that you are making available to the public eye. 

  • Double Check Email Details

From checking the address that an email is coming from to be wary of changes to contact or banking details, double-checking your emails rather than implicitly trusting the information in them is an important aspect of email security. It’s always better to be safe than sorry and taking the extra step of contacting the person who’s emailing you if something seems suspicious could stop a whaling phishing attempt in its tracks. 

How compliant is your business?

Make sure that your data is under digital lock and key.

Take Action Before You Become a Whaling Cyber Attack Victim 

It’s never too early to start putting cybersecurity measures in place. Don’t wait until you’ve already become a whaling phishing victim – talk to Solid Systems today to start putting proactive measures in place. As an IT support company in South Africa, we understand the importance of finding technologies that add value to your business and keep your company protected from attack. We’ll help you implement world-class security apps, prevent unauthorised access to your data and so much more. Get in touch to find out how we can help your business. 


Daniel Avinir

Daniel Avinir

Head of Client Success at Solid Systems | Virtual CIO I have a love and passion for people, their minds, technology, and nature.I believe in empowering people to work in increasingly flexible and productive ways, helping them unlock the collaboration potential and leading the cultural & technological change of our time.

Didn't find what you were looking for?