A whaling attack is a malicious attack on a company or organisation for financial gain or to steal sensitive information. A whaling attack differs from traditional hacking and phishing attempts in that the attacker will use information they have gathered from the internet to impersonate a working colleague and target high level employees. This guide has been produce by Astec Computing to help you understand and avoid the dangers of a whaling attack. http://www.astec.website/whale-phishing

1. Building Modern Business
01424 460721
enquiries@astec.email
www.astec.website
Data Security
Whale Phishing
Astec’s Guide To Protecting Your Business

2. Definition
Of A Whaling
Attack
What Makes Whaling Attacks
Successful?
It is not just SME’s at risk to whale phishing. In 2016, the
social media app Snapchat fell victim to a whaling attack
when a employee was emailed by a cybercriminal
impersonating the CEO and was tricked into releasing
employee payroll information.
Snapchat
A Whaling Attack Victim
Snapchat reported the incident to the FBI,
offered the employees affected by the leak free
identity-theft insurance and have since trained
staff to deal with this threat.
The term ‘Whaling’ comes from the fact that a usual target will have a significant or important role in the company i.e. a
big fish. ‘Whales’ are used in the spoofing in the hope that the role or authority of the position will encourage the
target to act on the request without questioning it.
Whaling attacks are often successful as they are a personalised attack rather than a generic spam email. Whaling
attacks can be successful depending on the amount of information available. If your organisation has a ‘meet the team’
page that displays the name, role, email address and contact details of all your staff then an attacker can use this
information to not only build a spoof profile but choose an appropriate target within your organisation.
Whaling attacks are difficult to identify as they are so personalised and rely heavily on social engineering to trick the
target. These attacks have become increasingly popular due to the potentially large sums of money involved and
therefore attackers will also spend more time on a particular target than a typical malicious attack.
1
Building Modern Business
A whaling attack is a malicious attack on a company
or organisation for financial gain or to steal
sensitive information. A whaling attack differs from
traditional hacking and phishing attempts in that
the attacker will use information they have
gathered from the internet to impersonate a
working colleague. An attacker can use this
information to build a profile of an organisation. A
common example is an attacker impersonating a
key member of staff such as a director or CEO and
asking someone in a finance role for a sum of
money to be transferred urgently.
www.astec.website

3. Building Modern Business
Assume It’s Fake
Never enter your account credentials for
any service into a web page unless you are
100% sure it’s the real thing, look for https
and don’t follow email links to login pages.
Tips To Prevent Whaling Attacks
Are You A Target For Whaling Attacks?
The more information you have publicly available, the more you put yourself at risk of becoming a target for whaling
attacks. By presenting lots of information about your staff and their contact details on the web, a hacker will have
more information for building a profile to target your organisation. Think about your ‘meet the team’ or staff page on
your website. If you have a detailed list of staff, their roles, contacts details and other information, then the attacker
has more firepower to build a personalised attack.
How Do Whaling Attacks Difffer From Typical Phishing Attacks?
Phishing attacks generally involve an attempt to gain a user’s credentials through a generic email such as asking you
to sign in to verify your account. Phishing attacks are often sent in volume and are easier to detect due to the
generic content and the location of links included in the spam email. Whaling attacks are a more targeted attempt
and often bypass a spam filter as the content does not require the inclusion of a malicious link.
3
Whaling attacks will often start with a probe email to test the success of a hacking
attempt. This may be something as simple as sending an email asking for a response,
once a response has been received to the spoofed account, typically they will then
attempt to obtain sensitive information or more likely, a transfer of money. Phishing
attacks cover a broader spectrum of malicious hacking attempts and are often
generic or targeted at a large group of people rather than a personalised
attack to a small group or single person.
Threats to security are greater than ever and come in
ever more sophisticated forms. Astec will provide you
with advice and guidance on avoiding being caught by
whaling attacks, but this represents just one area of your
security landscape.
2
Need Further Support?
Astec Is Here To Help
www.astec.website
Educate Your Team
Introduce simple but effective processes for
money transfers and educate your team –
never rely on an email request alone to
initiate money transfers.
Use Multi-layer Security
Use multiple layers of security solutions
that go beyond the basic spam filter and
antivirus software and consider
multi-factor authentication.
We design, build and deploy secure environments that
work for you and our security team can provide detailed
audits, security reviews and solutions to keep your
business and your data safe and compliant. Speak to our
security experts today.

4. Building Modern Business
Years of experience
Becoming a Microsoft Gold Partner has been achieved by investing in
our team for over 25 years. This means you have access to the most
skilled and knowledgeable people to help your business grow.
25
01424 460721
enquiries@astec.email
www.astec.website