“72% of whaling attackers pretended to be the CEO, while 36% attributed to the CFO.”
– Anonymous

Protecting your business from spear phishing and whaling

Targeted email scams to your business are harder to spot so you’re more likely to trust them.

Most people have heard of — or have experienced — phishing. It’s a common type of email scam. The sender pretends to be a trustworthy organization in an attempt to get you to provide them with personal information. It generally affects many people at once, and targets them at random.

Spear phishing and whaling scams are much more targeted in their approach. Their goal is to get information about a company or organization from someone who works there. It’s important to note that spear phishing and whaling attacks can be a precursor to another, more serious attack.

In a spear phishing attack, people within a company receive an email asking them to provide the sender with confidential company information. The emails will look like they’ve come from a particular department or person in the company.

Whaling specifically targets the management or executives in a company — the ‘big fish’. These are usually the people who have the most authority and the most access to sensitive business information.

Read more about phishing

How it works

Like phishing, spear phishing and whaling are email scams, but they’re much harder to spot. The emails look like they’ve come from someone within the company, so you’re much more likely to trust them. The attacker’s aim is to get information about your business, for example:

  • staff credentials
  • financial information
  • personally identifiable information (PII) about your customers
  • trade secrets or intellectual property (IP).

Attackers take time to plan and set up spear phishing and whaling attacks. Successful attacks are very profitable, so the amount of time spent crafting an attack is often worth it for the gain.

Before an attack is launched, the attacker will gather as much information about their target as possible. This can be from social media, like LinkedIn or Facebook, search engines or through the company’s website. There’s often a lot of useful information available, such as:

  • company information — like details of staff and business partners — on the company website
  • personal information — like people’s names, their date of birth, and their hobbies — on social media.

This information can be used to tailor an attack to specific people. The more personal and customized an attack, the more likely it is to work.

Spear phishing and whaling emails will often refer to their subject by name and job title. They might request that you:

  • send them information by return email
  • open an attachment
  • pay an invoice
  • visit a fake website to enter personal information, like login details.

These requests seem urgent and sound legitimate. For example:

  • a staff member may get an email that looks like it’s come from the CEO. It could ask them to pay an invoice on their behalf, or send them private staff details
  • a CEO may receive an email asking them to click on a link to confirm their login details on the company website
  • an email may go out to staff that looks like it’s from HR, asking them to login and change their password on the HR system.

The attackers could use the information they get from you to:

  • get a foothold into your network
  • install software on your devices, to maintain access to your network and monitor your communications
  • steal details or data about your business.

These all pose a significant risk to your business and your reputation.

Find out more about unauthorised access

How a data breach works

Reduce your risk

As spear phishing and whaling attacks are difficult to recognize, you might not know you’ve been targeted until it’s too late. Although you can’t prevent an attack, there are things you can do to reduce the risk for your business. A mix of staff education, technology, and validation of the processes you use to prevent these attacks is key to reducing your risk. Talk to your IT support person or a local computer services company if you need help implementing any of these steps.

  • Train your staff to know what to look out for. Make sure they understand what to do in certain circumstances — for example, when they get an unexpected email asking them to pay an invoice.
  • Confirm any email requests that you’re not expecting, or that seem strange, by another means. Call the sender to confirm the request if you can. If a request looks like it’s come from within the business, check it with the sender by phone or in person if you can.
  • Don’t click on web links sent by someone you don’t know, or that seem out of character for someone you do know. If you’re not sure about something, contact the person you think might have sent it to check first.
  • Don’t give out personal or business information by email.
  • Put privacy settings on your social media accounts to limit who can see them, and keep details about you or business to a bare minimum.
  • Think about implementing a social media policy for your business. This can help guide staff on what they can or can’t post about their work.
  • Ensure that appropriate security measures are in place for your organization. Think about:
    • antivirus
    • firewalls
    • email filtering
    • antispam
    • limiting access to external websites within your network
    • segmenting highly privileged accounts (like administrator and root accounts)
    • documenting and testing processes for dealing with security incidents
    • how you monitor and react to security events.
  • Keep your support contracts (with your antivirus provider or your firewall provider, for example) up to date.
  • Make sure that you have an incident response plan in place for dealing with security events.
  • Regularly validate the security processes you have in place to ensure that they work as expected, and update them if they don’t.
Visit CERT NZ for more information. 
Visit ACSC for more information.