Phishing Evolved.

A Whaling attack or phishing evolved is specifically aimed at a single, high-profile business target including maxresdefaultC-Suite executives. This group has access to sensitive employee, and/or customer data, banking, and/or securities accounts. Phishers target this group with e-mails and web-pages embedded with malicious code. When e-mail attachments are opened, or web-pages clicked the code is activated. The malicious code unleashes backdoors, remote access or embeds keyloggers; and within hours or days, the phisher gains access.

How does the ‘bait’ differ between Plain-Vanilla Phishing and Whaling?

Plain-Vanilla phishing attacks are a numbers game and are mass generated; they are casually addressed ‘Dear customer,’ or ‘Dear user’ e-mails, web-pages or pop-ups that appeal to a personal aspect of the target’s life. They may include ‘once in a lifetime vacation offers’ that is time-sensitive, or an urgent message which appears to be from your bank, PayPal or Netflix accounts that use threats of ‘account closure’ or ‘compromise.’

In the case of Whaling, there are a smaller number of attacks, but the phishers are looking for a bigger score.  Whaling campaigns are highly customized to an executive’s specific position and responsibilities within the organization. Moreover, the phishers will specifically target those individuals who have wire transfer authority. Phishers craft e-mails and malicious web-pages that appear to come from a trusted source which will necessitate an immediate response.

The target opens the viral e-mail attachment or clicks into a malicious Web-page. Game Over. What is even more disturbing, once phishers are armed with access, often they will launch further attacks causing considerable damage including monetary and reputational.

Why is whaling pervasive? 

A key reason whaling is so pervasive is that individuals overshare personal and behavioral data on social media applications. Phishers can tap this information otherwise known as OSINT. The well-crafted e-mails and web-pages are designed using the targets OSINT.  The more personal information the target shares publicly, the greater the risk that this information will be used to manipulate them.

The risks are real. 

The FBI has commented that whaling or what they refer to as BEC (Business Email Compromise) attacks are an ’emerging global threat.’ Companies from all 50 US states and 79 countries have lost approximately $1.2 Billion dollars in the previous two years (2013-2015).

Reducing risk.

  • Lockdown privacy settings on social media accounts.
  • Limit the use of third-party applications.
  • Two-factor authentication and multiple signatures should be implemented for the vendor payment process.
  • Employ a team either in-house or from the outside that can effectively assess the organization’s overall predisposition to phishing/whaling attacks by having a precise idea of what OSINT is available that could be used against the organization.
  • Increase awareness through continuous and ongoing training programs with staged, real-world phishing, whaling, and other social engineering attacks.
  • Look to C-Suite executives to make data breach preparedness a continuing priority for the entire company.

As information security professionals develop new defenses and warnings, the threat actors will continue to adapt, and we need to be prepared. There is no one-hundred percent fix for social engineering threats. The key is continuous training and reinforcement and should include all employees, not just management and the executive branch.

Cybersecurity is a shared responsibility. Stop. Think. Connect.

Phishing 101

Wait for it.


Email is an indispensable part or our everyday activities. It is also one of the most common methods that cyber criminals use to attempt to gain access to our personal information. In a recent report from PhishMe, they concluded that “91% of cyber attacks start with a Phish.”  The leading reasons people are deceived by phishing emails include threats (13.4%), and urgency (13.2%), followed by a reward, entertainment, and opportunity.

Phishing scams always have hidden motives including targeting your cash and credit card data and or attaining control of your computer and network resources.

Phishing scams are most always fraudulent email messages appearing to come from legitimate enterprises (e.g., NetFlix, your Internet service provider, your bank). The goal of the email is to direct you to a phony web page generated by a sense of urgency and raising strong emotions, like fear or opportunity to request personal information.

What does a phishing email message look like?



As seen in the examples above phishing emails usually contains both bad spelling and grammar. Additionally, there is always a link. Never click on a link in a suspicious email. Links can deliver file attachments that can infect your computer with harmful software. Instead, hover over the link with your mouse to see if the email address matches the link that was typed in the message.

Just a reminder, legitimate companies, and organizations will never ask for passwords, social security numbers, and other personal information via email.

Be aware of phishing. Don’t take the bait. 

Cybersecurity is a shared responsibility. Stop. Think. Connect.