What Is a Whaling Attack? Identifying and Avoiding CEO Fraud

Since 2013, US companies have unwittingly transferred more than $12 billion to criminals behind whaling attacks. You might think you’d never fall for a suspicious-looking email, but whaling attacks meticulously mimic your CEO or CFO and get away with stealing your company’s most precious files and information.

So how does a whaling attack work? And what can you do right now to avoid it? In this post, we will teach you just that.

What is a whaling attack?

A whaling attack, also known as CEO fraud, targets the big fish of a company. In this type of attack, a cybercriminal will masquerade as a senior member at a company to steal finances and sensitive information or access computer systems.

Whaling is similar to phishing in that it uses email and website spoofing to trick employees or customers into revealing sensitive information or transferring money. But unlike phishing, whaling attacks make the message appear as though it was from a CEO or someone equally senior. That way, cybercriminals rely on a person’s obedience to authority to execute their sticky-fingered plan.

Whaling attack examples

Now that you know the basics, let’s put a whaling attack into context with some examples.

  1. The urgent wire transfer

    In a stress-inducing attempt at getting their hands on some free money, the attacker sends an ‘urgent’ email. It typically reads like a personal message from the boss, establishing trust before asking for an urgent wire transfer. The transfer has to be made to a designated account by a designated day.

    You’re probably thinking, “Why would I do that without approaching my boss and confirming it first?” Well, imagine a 10,000+ global organization. With deputy managers, senior managers, and operations and finance managers in each department constantly dealing with payments of all kinds, a request to transfer money might be nothing out of the ordinary.

  2. A request to send files

    Imagine you start your workday with 45 unread emails. You rapidly sift through them, tending to anything urgent so you can get on with your day. Your boss needs you to send them a document which contains payment records and includes the company’s credit card details. You send it over without giving it a second thought, especially since your ‘manager’ needs your help. And just like that, with minimal effort on the criminal’s part, you’ve been conned in a whaling attack.

Whaling attacks: A billion-dollar disaster for CEOs

High-flying CEOs of mega-companies are easy to impersonate – their voice, tone, and location are often sprawled online for the world to see and for criminals to copy and exploit. Whaling attacks casually kick down firewalls and side-step even the most complex IT defenses with such ease that they can make a person feel entirely incompetent, which is why they often go unreported. Between 60-70% of CFOs in the US have fallen for a whaling attack that caused losses in their billions. But because admitting to “falling for it” might be too embarrassing, any chance at remediation is smothered.

Thousands of companies have grown accustomed to writing off billions each year in ‘avoidable losses’. But avoiding a whaling attack is just as simple as the attack itself.

How to avoid a whaling attack?

Whaling attacks use social engineering to trick victims into handing over funds. But don’t be intimidated by a term that simply means ‘to prey on human nature’. From this new angle, the cures for whaling attacks become low-cost and highly effective:

  1. Destigmatize the reporting of whaling attacks

    No matter what technical defenses you put in place, a system is only as good as the people behind it. A whaling attack begins and ends with an unsuspecting employee, so train them to identify suspicious emails and to always ask for a second opinion when it comes to cash transfers or sending over sensitive data. With regular training aimed at destigmatizing the reporting of cyber-threats, you are bound to see improvements. It’ll create a human-first alert system, inspire staff to stay vigilant, and reduce any cyber-casualties.

  2. Implement dual authorization on wire transfers

    We talked about getting a second opinion when anyone demands a payment. Having two people sign off any outbound wire transfers always helps to prevent a looming whaling attack.

  3. Senior staff should have private social media accounts

    Whaling attacks target the big fish of a company. If a senior member posts about a barbeque he had at the weekend, the attacker could use this information to persuade the victim he’s the real deal.

  4. Invest in a good cyber-insurance program

    Companies should get a good insurance plan against such risks, especially one that includes a fidelity or crime policy. A good cyber-insurance program will cover you against social engineering or ransomware attacks too.

  5. Encrypt your sensitive information

    Besides promoting all the obvious things like good email hygiene and cross-checking suspicious demands and claims, a second precaution never hurt anybody. Protect and secure your company's sensitive information with NordPass. NordPass uses XChaCha20 encryption XChaCha20 encryption to store your company’s credit card details and system passwords, locking them inside a cloud-based vault, secured with biometric locks. Should a staff member fall for a message in a whaling attack, your company’s most compromising information will stay secured with a master password only authorized members can access.

    Smaller companies can suffer huge losses from whaling attacks since they don’t have the luxury of writing off losses like large corporations do. Starting with a good business password manager will keep your sensitive files safe from casual access and help deter any irreversible damage caused by whaling attacks.

Subscribe to NordPass news

Get the latest news and tips from NordPass straight to your inbox.