Whaling is a type of phishing – an attempt to trick a person to disclose valuable information, usually login details, by way of spoofing an email or a website or by social engineering. Phishing becomes whaling, when targeting high value individuals, such as business managers, company directors or financial controllers. The goal is to either obtain on-line banking credentials or deceive them into initiating high value transactions into the hands of the attacker.
Apart from targetting, whaling is different to phishing in the quality of its presentation. The content is usually well-researched and specific to the organisation and individual being targetted, without the tell-tale spelling mistakes so typical of phishing.
For example, a whaling attempt might present a fake email from a company’s CEO or managing director to the company’s financial director asking for a large amount to be transferred to a bank account controlled by the attacker.
The practice of “whaling” is getting more widespread. Today, the BBC reports on how a french SME nearly lost half a million Euros but many businesses are not so lucky, as the case of £1 million loss at St Aldhelm’s Academy in Poole, Dorset, shows.
Unfortunately, many successful whaling attacks remain unreported, since the business that suffers the loss seeks to avoid negative publicity.
All businesses should have a security procedure for authorising and performing banking transactions and accessing on-line banking, which takes account of the threat of phishing. They should avoid the use of email to request financial transactions and should perform routine verification of the authenticity of any transaction request.