Big Fish

In their never-ending quest to find new ways to run scams or access critical business data, hackers have been taking aim on a somewhat unexpected – and, in some cases, unexpectedly vulnerable – target:


The strategy is called “whaling” (as in, going after the big fish), and it has emerged as a significant risk for organizations worldwide. In April 2016, the FBI reported that these kinds of attacks cost companies over $2.3 billion in the previous three years and that the number of victims and amount of exposed losses rose 270 percent since January 2015. According to the bureau, up to 7,000 U.S. businesses have been hit, suffering losses of $740 million.

Unlike phishing or spear phishing, in which the cyber-criminal typically attaches a malicious attachment or link to an email targeting a broad number of recipients, whaling is a social engineering attack that takes aim at, or uses the identity of, key corporate leadership: CEOs, CFOs, executive level management, etc.

The approach isn’t all that complicated.

The hacker sends out an email to (or from) an executive that has been customized to that specific target; it will reference his or her role within an organization and focus on a sensitive company concern. Often using an urgent-sounding message line to the effect of “Need Action Now” it will ask the recipient to do something that in the context of the communication makes perfect sense. When the target complies, he or she will have unknowingly exposed servers, financial data, passwords, computers, etc.

For example, the hacker might send an email to a member of the company’s financial team that appears to come from a legitimate source such a the CFO or CEO, saying the IT department urges the resetting of passwords. When the target does so, he or she opens a back door to the company’s data that the bad actor can exploit. In another instance, the recipient will be asked to complete a wire transfer from the corporate account to a fake account the hacker has set up.

In 2008, in one of the more widely cited cases of an early whaling attack, hackers hit 20,000 corporate executives with a personalized email that looked like a subpoena and demanded they appear before a federal grand jury. It included a link that purported to provide additional information. Ten percent, or 2,000, of the intended victims clicked the link, giving the cyber-crooks access to corporate passwords and other critical data and allowing further attacks on their companies.

Social engineering relies on the natural human instinct to believe something that appears to be true. So hackers patiently research their targets to find as much personal information as possible to give the appearance of legitimacy. Interestingly, they look to social media sites such as Facebook and LinkedIn, which can contain a reservoir of seemingly innocent information that can be turned against the target.

So what can these corporate “big fish” do? Here are five ways to fight back:

  • Don’t believe everything you read. If you get an email that suggests some kind of urgent action is immediately necessary, first pick up the phone and call whoever it came from before clicking on anything. This has the dual benefit of validating (or not validating) the request, and signaling to your IT department that the company is under cyber-attack.
  • Train employees and executives. There is a tendency to believe that most malicious attacks can be detected by anti-virus software or prevented by firewalls. But that’s simply not true – and it’s especially not true of whaling. Potential targets (and their administrative assistants) need to be trained as to what an attack looks like, how it is executed, and what to do if it’s suspected. Software won’t affect human behavior. Awareness will.
  • Beware of typosquatting. This is a common practice of hackers. They’ll send the recipient to a link whose URL looks official but is slightly off – Twittter, for example – or use a different top level domain (.net as opposed to .com). Clicking the link will take the target to a page that looks official, with the same brand logo and type fonts, but in fact can allow the automatic download of malware upon landing. Notification services are available to let a company know when someone registers a domain name similar to their own.
  • Review privacy settings on social media. As mentioned above, social media profiles and postings can include the kind of personal information that make hackers’ jobs easier – and put executives at risk. By limiting who can see this data, you have a better chance of preventing hackers from accessing it. Along those same lines, avoid arbitrarily adding unknown individuals to your networks. By now, it’s common knowledge that the profiles we see online are often not the people they say they are.
  • Employ a multi-layered validation/authorization system. Put a process in place that allows the release of sensitive data only if authorized by two or more specific individuals inside the organization. This can serve as an effective safety valve in the event that a whaling attack manages to avoid other security measures.

A study found that in 2017, CEOs and upper-level executives will each send and receive somewhere in the neighborhood of 50,000 emails. Given those numbers, it is not shocking that a whaling attack might slip through. But by better understanding the characteristics and tactics of these attacks, corporations can minimize the potential that their leadership will get harpooned by bad actors.


Mark Elliott is a Best-Selling Author and CEO. His company, 3i International, helps you apply technology to improve performance and compliance. For over 25 years, Mark has been helping startups to Fortune 500 companies overcome the technology challenges they face. He develops strategies to analyze, manage, and adapt to the ever-changing technology landscape. A central focus has been security and compliance. His experience includes preventing, detecting, and responding to hackers and threats. This keeps your organization safe from invasions while simultaneously meeting regulatory compliance.