The concept of phishing is nearly as old as the internet. AOL chatroom members would ‘fish’ for passwords from other AOL users via fake chatroom messages or emails and turn these passwords around for pranks and profit. The first organized phishing attack against a business is thought to have been carried out against an early alt-currency site, E-Gold, in 2001[1]. Email spoofing of currency and ecomm sites became commonplace in the years following, and today, warnings against password sharing, account number sharing, and suspicious requests for information of all types are as ubiquitous (and easily ignored) as speed limit signs or daily sugar intake recommendations.
How dangerous are the waters?
In 2022, there was a 61% increase in the rate of phishing attacks. This trend is expected to continue in 2023, as phishing remains one of the most effective ways for cybercriminals to gain access to sensitive information. But modern phishing attacks are little more than blindly dropping baited hooks into the water and trying to pull in anything that bites. This may mean that the Senior IT Architect with broad administrative access clicks a link after one too many all-nighters putting the Fortune 100 company’s aging computer system back together. Or it may mean the college student on their mom’s computer clicks a link while trying to file their taxes online for the first time. At the end of the day, the ransomware is delivered, but the cybercriminal now must spend time trying to extort money from a victim who may not have a lot to start with.
Some criminals decide, rather than blindly attacking every device on the Internet and hoping for a jackpot, to stack the odds in their favor. Whaling[2] is a type of targeted phishing attack that zeros in on high-profile individuals, such as CEOs, CFOs, CIOs, IT administrators or other persons with authority or privileged access. The goal is to gain access to the account and send instructions to others in the organization under the age-old principle of “do whatever the boss says.” Whaling attacks are often very sophisticated and can be difficult to detect. The attacker may use social engineering techniques to gain the target’s trust or pretend to be from a trusted organization. If phishing is akin to street mugging, then whaling is casing the ritzy neighborhood for weeks to plan the perfect break-in.
The strategy has proven lucrative. According to AAG, the average data breach in 2022 cost $4M while the average whaling attack cost $47M.[3]
Why is whaling so effective?
Doomsday headlines on the (sometimes) exceptional capabilities of generative AI to mimic and deceive can make it feel like whaling is at the fingertips of anyone with an internet connection. But the fact is whaling takes finesse and is a skill learned over a long time. Attackers must identify their target organization, select their victim, and find their vulnerabilities before even making the first contact. They must know what they are after and how to use the victim to get it. And they must present a convincing enough front to avoid detection by people who are often steeped in training on avoiding phishing scams.
Many in the C-suite of the Fortune 500 have assistants who triage, summarize, and filter emails before they would even hit the inbox of the targeted whale. Getting through this layer is going to take more than an AI-generated email offering free company raffle tickets. To get through this first layer, you have to create a crisis that seems real enough to believe, and urgent enough to not double check.
Unfortunately, what makes the first layer so effective at preventing phishing attacks is what makes whalers who break through so successful. Imagine having an inbox where everything in it is filtered, curated, actionable, and pristine. It becomes easy to let your guard down and click a fake link forcing you to login to approve an ‘urgent sales deal.’ And even easier to click one that seems to be from the resort you are due to stay at next week, or your children’s school. Whalers find techniques and topics that will both pass through the administrative filtering process and fail to trigger any suspicion in the target. This may be more miss than hit, but given enough time and opportunity, the hits will stack up.
How to save the whales?
It would be easy to end this discussion on statements urging privacy online – don’t share details about your life on social media, don’t let your personal life become searchable, don’t give the whalers anything to work with. It would be almost as easy to end it on warnings to keep your guard up – never trust an email or text on first sight, no matter what it says. But neither tact is new advice, and while both are good advice, neither are realistic and neither will hold up for long.
A more effective strategy may be to build baffles and compartments into both personal and business procedures. Separate critical business procedures and messages into systems with more safeguards than emails or texts. Ensure IT and finance teams have separate accounts, and even separate computers or networks, for performing privileged activities. This ensures an errant click on the account with email won’t compromise the data accessible from the account that has no email access. In personal affairs, keep categories of communication tied to different email accounts, phone numbers, platforms, or even devices, so any crossover raises alerts instantly, and any compromise won’t give away everything.
If all of that feels too daunting, then teach them to follow these three principles of Internet security:
- Never enter your username or password on a webpage you arrived at by clicking a link in an email, text message, or social media post.
- Level Up: Use a password keeper that automatically fills information into webpages after matching the right domain to the right credentials.
- Never send money, give bank account information, or reveal confidential information in email unless you personally talk to the sender and verify, they sent the requested information.
- Level Up: Refuse to use email to send this information altogether. Establish portals and verified communications tools to send information with the ability to track and self-destruct upon use.
- Enable MFA whenever it is offered and stop putting confidential or critical business information into websites that do not offer MFA.
- Level Up: Secure your password keeper and secure client portals with a hardware encryption key.
[1] https://www.phishing.org/history-of-phishing
[2] Other terms and classifications arise from cybersecurity professionals to differentiate between the types of phishing attacks, such as spear phishing, vishing, smishing, etc. While these classifications have value to researchers and cybersecurity practitioners, they are distinctions without a difference for this article.
[3] https://aag-it.com/the-latest-phishing-statistics/#:~:text=Phishing%20was%20the%20most%20common,costs%20a%20business%20%2447%20million.