Whaling Phishing


Latest news:

November 13, 2014:
LinkedIn and social media used as tool to find whales.



In casino parlance, a whale is a big spender or individual with a high net worth. Casinos will compete to keep such people happy, and often have special concierges and comp plans in place for these gamblers. Someone who drops millions at a casino might get a complimentary private jet ride, limo service, and a suite so they stay on property for as long as possible.

Who is most at risk from a whaling spear-phishing attack?

Sophisticated hacking attack aimed at wealthy people.

Whaling, in relation to the term spear-phishing, is a form of specific phishing attack that goes after senior executives and high profile targets within such organizations. One of the reasons for such whaling attacks is that senior executives often have unfettered access to large amounts of employee data, and also control large balances in banking and securities accounts which they may access online either from their offices or at home. Therefore, whaling spear-phishing attacks can result in far greater rewards for hackers, and often can pass through phishing filters because a relatively small number of emails has been sent out, so it can't be identified with the same reliability as typical junk email. For example, a spear-phishing whaling attack could be done by taking data stolen from a high-end retailer or member association that has a large percentage of executives or wealthy people on its list. People on that list would get emails alleged to be from the organization, but the emails may contain viruses or trojan-horse programs. Similarly, the emails may direct people to a copy of the organization's site and request username and password information.  More sophisticated attacks may take over a target's computer and record all the sites visited by that person, plus all the keystrokes on their computer, so in the matter of a few days the hacker would have access to personal account data and company passwords which could lead to large individual and company losses. Unfortunately, the author's personal experience also indicates that executives tend to be more credulous than ordinary employees, and will fall for the flimsiest fraud when given the opportunity.

To prevent spearphishing among the wealthy, some discretion may be necessary. Advertising your wealth on social media may attract elements who will try to penetrate the weak members of your inner circle, or your accountants. Careful control of emails and phone numbers is necessary to prevent attempts to sepaarate you from your money or account information. Executives often get around this by having direct relationships with personal bankers and others who are in charge of their funds, but it is still important to remember that these people may be the target as well.

Notes and Special Information

Special note: When in doubt, retain a person with some information security credentials, as opposed to that nephew who says he knows everything.