Question: What Is 'Whaling'? Is Whaling Like 'Spear Phishing'?
Answer: Whaling is a specific form of 'phishing' or 'spear phishing'. It is a digital con game meant to target upper managers in private companies. The objective is to swindle the upper manager into divulging the confidential company information on their hard drives.
Whaling, like any phishing con game, involves a web page or email that masquerades as being legitimate and urgent. In a regular phishing scam, the web page/email might be a faked warning from your online bank or from PayPal. The faked page might frighten the target with claims that their account has been charged, and that they must enter their ID and password to confirm the charge.
In the case of whaling, the masquerading web page/email will take a more serious executive-level form. The content will be crafted to target an upper manager and the person's role in the company. The content of a whaling attack email is often written as a legal subpoena, customer complaint, or executive issue.
What Exactly Does a Whaling Scam Email Contain?
Whaling scam emails are designed to masquerade as a critical business email, sent from a legitimate business authority. The content is meant to be tailored for upper management, and usually involves some kind of falsified company-wide concern. Sometimes, the whaling email will claim to be from the Better Business Bureau, seeking to confirm a complaint against the target company. Whaling phishermen have also forged official-looking FBI subpoena emails, and claimed that the manager needs to click a link and install special software to view the subpoena.
Do Executives and Managers Really Fall for These Whaling Emails?
Yes, unfortunately, managers often fall for whaling email scams. In the case of the recent 2008 FBI subpoena whaling scame: 20,000 corporate CEOs were attacked. Approximately 2000 of them fell for it and clicked on the whaling link, believing it would download a "special" browser add-on to view the entire subpoena document. In truth, the linked software was a key logger that secretly recorded the CEOs passwords, and forwarded those passwords to the con men. As a result, each of the 2000 compromised companies was further hacked in some way, a few of them were particularly damaged by the attacks.