Phishing and Whaling

Phishing for Information

Phishing scams are an attempt to acquire personal and sensitive information such as credit-cards, usernames and passwords, or identification/account details, from individuals or businesses. Also known as Business E-Mail Compromise (BEC), these attacks are most often realized with the use of email spoofing or online instant messaging. Such scams are usually carried out by tech savvy hackers as part of an increasingly important social engineering aspect of breaches. Comprising 30% the practice of impersonations and identity fraud often constitutes the proverbial “pointy end of the spear”. A phishing scheme will masquerade as a request for information from a trusted source such as a bank, employers, social websites and IT administrators. The source or victim define phishing’s different sub-categories, including small groups of users (Spear Phishing) or high profile individuals (Whaling).


What is Whaling? 

More recently, the sub-form of phishing called whaling surfaced as costliest problem. Whaling, a metaphor used to describe catching a bigger “fish”, has the same malicious intentions as phishing with the end users being people of higher stature and power. A successful attack can harvest cooperate passwords, usernames, hard drives, networks and in some cases bank accounts.

Whaling has become increasingly popular for hackers due to how easily personal information is to access. In order to harpoon a big fish, you need bigger and more bait. Hackers will gather personal information from different source such Facebook, LinkedIn and company websites to tailor a phishing attack to a specific recipient. 2015 FBI estimates show that 7000 businesses have been “harpooned” for over $740M dollars in losses over the past two years.

Mimecast, a security company focusing on the entire electronic communication life cycle, announced a 55% uptick in whaling in their research findings published December 2015, and the hackers’ favorite imposters are the CEO (72%) and the CFO (35%).  Former Alaska Governor and vice presidential candidate Sarah Palin was the victim of an imposter in 2008. He used Google and Wikipedia to successfully answer security questions and change the password on her Yahoo email account. Former US Secretary of State and current presidential hopeful Hillary Clinton is currently involved in an email scandal. Her use of a private email and private server may have exposed highly sensitive US Government information. By circumventing government security measures on email communications, Clinton left herself open to hackers and imposters.

This movement towards smaller targets continues gaining traction and receiving refinement. In June 2012, a global fraud ring, called Operation High Roller (OHR) was exposed. Their elaborate automated whaling system allowed them profits of $78 Million. OHR hackers would target corporate executives that had access to accounts with several million dollars. Emails were all well written and unique to appear legitimate and trustworthy. Each email contained a malicious link of attachment. Clicking these links would infect your computer with compromising malware that would capture keystrokes and ultimately yield usernames and passwords entered using the infected computer.


How do you prevent being “Hooked/Harpooned?” 

Best practices suggest a multi-pronged approach for lessening the effects of phishing.  Technical methods tie in to email servers and end point anti-virus software looking for things like suspicious language, links where the displayed words don’t match the associated web address and domains that look familiar but aren’t (i.e. This software is not foolproof; IT administrators would rather err on the side of caution in allowing some phishing in rather than block the boss’s proposal. Threat intelligence feeds also play into the effectiveness of

Training methods prop up the old adage that the best offense is a solid defense. Training educates users throughout the company on what to look for, either through Computer Based Training, Seminars, emails or handouts. A consumer version of this kind of training may be found on the Australian Government’s Scam Watch page.

Testing methods serve as one of the more cost effective methods for checking user policy compliance. Phishing services, such as, send an organization’s employees phishing emails. The service reports statistics back to the Information Security Office on links clicked, emails reported and most importantly, appropriate disclosure response when someone does click a link.

A more encompassing test, Red Teaming, may be another suitable solution for the overall assessment of a company’s security posture in a larger organization with deeper pockets. In a Red Team exercise, penetration testers may use any hacking methods at their disposal, and social engineering, including phishing, spear phishing and whaling are all fair game. The results of a Red Team will be high profile, and entry through a successful phishing attack will be eye-opening for the impact of just a simple click.



This Article looks to provide a better understanding of email based social engineering practices, including phishing, spear phishing and the targeted form of phishing called whaling. An estimated 7000 businesses have been “harpooned” for over $740M dollars in losses. With social media giving hackers easier access to personal information whaling has become an ongoing problem. This article discusses simple preventative measures that can be implemented to protect your business.


CIPP Exam Preparation

In preparation for the Certified Information Privacy Technologist (CIPT) Exam, a privacy professional should be comfortable with topics related to this post, including:

  • Online Threats – Phishing/Whaling (CIPT; IV.C.a)

Leave a Reply




You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>