In business and finance, a whale is a big player, a high-net-worth individual or institution that can move markets at a stroke. However, in cybersecurity, whales and whaling have another meaning. A whaling attack is the targeting of one of those big players, be it a blue-chip company, billionaire, celebrity, or noted institution. The aim of the whale attack cybercriminals is to capitalize on the target’s ability to pay large ransom amounts, knowing that they might do so to protect their reputations or the brands they represent.
While today whaling causes damage to businesses big and small, there is little reason it has to. It’s not difficult to learn to recognize the main indicators of phishing and, for company owners and managers, to educate employees to do the same. Wise executives can implement phishing prevention practices in their companies to forestall attacks, preventing a public relations nightmare and widespread hassle – and potentially saving organizations countless dollars. With education and prevention, whaling can become a futile exercise, an attempted hacking method of the past.
While all attacks by cybercriminals are a crime, no matter if directed at senior executives, small business owners, or just your regular Joe, there are people who consider whaling a controversial subject. That’s because in many cases, whaling attacks are underreported. At first glance, it may seem strange that businesses wouldn’t immediately report a whaling attack, but there is a logic to it: some of these targeted individuals and companies may believe that it is better to keep quiet, giving in to the demands of hackers after a ransomware attack or remaining silent after a phishing scam, rather than admitting that they have been compromised.
Why Are Whaling Attacks Unreported?
As the public faces of huge corporations, executives have a lot to lose if their reputation – or that of their company – becomes tarnished. Their public relations team and their company’s board may feel that paying off the criminal gangs could be less expensive than damaging the company’s brand or causing a drop in stock value after announcing their business has become a victim to a serious cyberattack. While anyone can fall victim to a cyber attack, large, Fortune 500 companies and other big businesses may believe they are above such scams; they may feel they are too smart, too savvy, or too well-protected to succumb to such events.
So while some companies and individuals will try to cover up that they have been scammed, the truth can and often does come out. Companies may decide they need to make a public admission, perhaps driven by the fear that leaks to the media may force them to come clean eventually anyway. In other cases, companies may be obligated to report security or other breaches. In fact, most Fortune 500 and publicly traded companies are required by law to report cybersecurity incidents. The Biden Administration extended this practice by issuing an executive order in 2021 stating that any company doing business with the Federal Government must immediately report a security breach. This is in addition to SEC regulations dating from 2012, which compel public companies to report cyberattacks to regulators and set out the changes they will make to protect themselves and their clients in the future. Businesses that are in countries that are signatories to the European GDPR are also required by law to report certain data breaches. The fine can be up to €10 million (approx. $10.5 million) or 2% of the company’s annual turnover for declining to report such breaches.
But the question remains: If there are laws requiring the reporting of cyberattacks and breaches, why do companies try to cover it up? The answer isn’t simple. On the one hand, it is possible that a company or individual isn’t aware of the duty to report, although this would seem increasingly unlikely. On the other hand, it’s probable that refusing to report cyberattacks is a reputational or financial decision. Stock prices usually decline when there is news of a data breach at a blue-chip company. For example, the Capital One data breach of 2019 saw the stock of the financial services company fall by 6% when the breach was publicly reported, and that figure more than doubled to almost 14% in the weeks after. Studies have also shown that the financial damage to the company’s reputation can be long-term.
However, companies are also playing with fire when they don’t report. In 2017, Uber was found to have covered up a massive data breach that impacted millions of customers worldwide. The ride-share company was also found to have paid off the hackers to the tune of $100,000 to delete the data and keep quiet on the attack. The admission cost Uber’s Chief Security Officer Joe Sullivan his job, and it forced CEO Dara Khosrowshahi to make a groveling apology to customers and investors. The question, therefore, should not be why companies don’t report whaling cyberattack. The question should be: how can companies and individuals stop whaling attacks from happening in the first place.
Hacks and Data Breaches Can Be Embarrassing for Executives
Falling for a scam can be embarrassing for executives and organizations, particularly when it was a CEO or other c-suite member’s actions that led to the incident. Consider, for instance, the case of an Australian hedge fund in 2020, which lost $8.7 million in a phishing attack. The hackers were able to compromise the hedge fund by sending out a fake Zoom invite – a typical phishing tactic during the pandemic. The link was not opened by a careless low-level employee, however – it was opened by one of the hedge fund’s co-founders. The fake Zoom invite allowed hackers to install malicious links software, which, in turn, enabled them to create a series of fake invoices on the hedge fund’s email system. Moreover, there were no alarm bells: Executives at the hedge fund only noticed that their systems had been compromised after checking the fund’s bank account and realizing millions of dollars were missing. It’s a stark warning that all hackers need to gain access is for the proverbial door to be left slightly ajar – and even something as seemingly insignificant as a Zoom link can serve as a door – to kickstart a sophisticated whaling attack.
Oftentimes, when a serious whaling event occurs, the buck stops with the person in charge, such as the CEO or other executives like the CTO or CXO. That was the case in Austria in 2016 when hackers used a scam known as the fake president incident and posed as the CEO of aerospace company FACC in a series of emails. The scammers were able to swindle roughly $47 million out of FACC using sophisticated phishing techniques. After the incident became public, the board voted to fire CEO Walter Stephan.
Targeting Smaller Fish
It is not only large corporations that are at risk for whaling attacks. One unnamed individual went on the record with NPR in 2019. Asking to hide his identity, “Mark” (not his real name) spoke of the embarrassment of being duped by hackers in phishing scams, and how he believed revealing the truth would hurt his Seattle real estate business. This story is an intriguing one, as it explains how hackers patiently watched and listened to correspondence between “Mark” and his business associate, pouncing at the opportune moment to divert $50,000 to the scammers’ account. This is an example of the growing trend of BEC (business email compromise), which uses whaling tactics to target high-profile businesses and individuals via email scams.
Getting Your Money Back – Rare after a Whaling Attack
The question of dealing directly with hackers or alerting the authorities tends to come up time and time again. Interestingly, studies have shown that those paying off criminals after a ransomware attack are likely to be hit by a second attack. Still, there are rare instances where the stars align after a whaling attack, allowing companies to get their money back. This was the case with the toy company Mattel. $3 million was stolen in another fake president incident, this time through an elaborate scheme emanating from China. But through a little luck, Mattel was able to work with the FBI and Chinese authorities to freeze the hackers’ accounts and recoup the money.
Reeling in the Big Ones
But Mattel’s case is, unfortunately, an outlier. While you might forgive a toy company for falling victim to an elaborate scam, it’s worth noting that even the most tech-savvy brands and individuals can see huge amounts of money put at risk through whaling attacks. Such was the fate of networking technology firm Ubiquiti Networks Inc., which lost a whopping $46.7 million due to executive communication phishing. As mentioned earlier, many companies are compelled to report the hacks, and Ubiquiti was one such business. In this case, the company had to report the whaling attack to the SEC in its quarterly filings in the summer of 2015.
Email security should always be one of the top priorities of those organizations that transfer large sums of money such as Fortune 500 companies. As we have illustrated thus far, whale phishing campaigns are typically sophisticated, well-defined, and patiently executed. That was apparent in the 2015 case of commodities trader Scoular, which lost $17 million after an executive was hoaxed by an intricate series of emails purporting to be executing an M&A (mergers and acquisitions) deal. The money then disappeared, as the global-thinking crime gang used a series of fake email addresses throughout Europe and the Middle East, servers in Russia, and a fake bank address in Shanghai.
Whaling Attacks Can Prioritize Data Over Cash
For a variety of reasons, hackers may not always have cash as their primary goal, at least not directly. When Snap suffered a data breach back in 2016, the whaling hackers targeted information not cash when they sought access to the payroll data of many of its employees. This was once again a spoof CEO scam, with hackers pretending to be CEO Evan Spiegel in an email exchange with the HR department. Again, this was embarrassing for a supposedly tech-savvy company like Snap, which was forced to supply all affected employees with two free years of identity theft insurance.
Similarly, in the same year, workers’ data at Seagate, a huge S&P 500 technology company, was obtained by cybercriminals after an employee fell for an email scam. The employee unwittingly sent records of colleagues’ (past and present) W-2 data, which is used for tax purposes. At the time, experts claimed that those affected could be vulnerable to tax refund fraud for years to come.
Big Targets for Big Payoffs – Why Whaling Works
Hackers are anything but stupid. In fact, their understanding of psychology can often help with the success of their whaling attacks. They know, for example, that audacious scams like pretending to be the CEO of a Fortune 500 company can work as employees are less likely to question or challenge “the boss” if they have made strange requests by email or other communications. Moreover, hackers know these companies are likely to be cash rich and accustomed to sending vast amounts of money to clients and partners with a push of a button. It’s one of the reasons that whaling attacks are common, and it’s why some of the most daring scams are pulled off successfully.
