Hook, line, and sinker: What’s the bait in executive phishing and whaling?
Phishing is simple, but the consequences are pretty serious.
According to IBM’s Cost of a Data Breach Report 2022, it was the second most common cause of data breach in the US in 2022, and averaged $4.91 million in breach costs for companies.
Stats like that make it clear why it makes sense to help people recognize phishing scams. But what about executive phishing?
Executive phishing is along the same lines, but the scammers ape a company’s high-level staff, such as CEOs. In other words, they use the sway of the biggest fish to get a bite.
Impersonating the General rather than a footsoldier may seem like a tall order for cybercriminals. But they know exactly what they’re doing.
And, as with so many parts of cybercrime, they’re banking on the human element.
What’s the difference between executive phishing and whaling?
Alright, let’s start with executive phishing.
It’s no secret that an organization’s leadership commands a certain level of influence. It stands to reason, then, that people want to keep leadership happy. They want to do what their boss asks of them—even if the request is a bit weird.
And this people-pleasing tendency can make people panic or put haste ahead of caution when they are dealing with the C-suite.
For example, Matt gets an email from his CEO asking him to transfer urgent funds. Usually he’d ask for more details and follow standard procedures before moving money around, but this is the Big Cheese telling him to do something. So he’d better get on and do it.
That’s exactly what the scammer’s counting on. And it can happen to anyone.
Matt authorizes the payment. Unbeknownst to him, the money has landed in the cyber criminal’s bank account.
To make matters worse, incidents like this can go undiscovered for months. Data breaches involving stolen credentials take an average of 243 days to identify and another 84 days to contain. Scary.
So, that’s executive phishing. But what about whaling?
This is when a scammer targets an executive directly. Rather than trying to catch a small fish by using a CEO persona—like what happened to Matt—whaling is about catching the big and powerful figures in an organization.
The executives are subject to the exact same process—the scammer poses as someone known to the recipient and asks for sensitive data or for money.
A senior leader may have bags of knowledge and experience and skills—but they, too, are human. And that means they’re at risk of failing to scrutinize the request before complying and falling into the trap.
Want to make sure your security strategy covers executive phishing and whaling? Fear not, because we’re about to give you some examples, some prevention tips, and some advice on what to do if you get caught.
Six examples of executive phishing
Sometimes phishing emails are complex, and sometimes their effectiveness is in their simplicity. Either way, knowing what they are and why they are effective is a good starting point.
Scammers often meticulously research the formatting of their emails to make them as believable as possible. Within that email, typical phishing examples include:
Fake links: Within the email is a link—perhaps they want you to create an account on the new HR platform, maybe it is just to a news article you’ll find interesting. Whatever the bait is, the result is the same: malware.
Password requests: They might ask you to change your password, again via a link. And by entering your password, you are giving them your login details.
Fake attachments: You receive an email from your CEO asking you to read the attached document. The download is malware (no surprises here, huh?).
Transfer of funds: The CEO is traveling, or so the email says. They don’t have access to the company accounts while abroad. In their absence, would you mind transferring these funds to our loyal client before we risk losing them to a competitor over the delay?
Spear phishing: A net trawls for any phish it can get. A spear is sharp and precise. When scammers spear phish, they research their target so the email is relevant and personal. For example, it might reference a specific deal or client they know you are working on, to make the scam more believable. Once they have gained your trust with the intimate knowledge of your current circumstances, they can apply the same old phishing tricks with even more effectiveness.
Whaling: Scammers may use any of the above tactics, but this time they turn on the C-suite. They will use a personalized fake email to try and trick senior members of staff, like the CEO, into giving over credentials or funds.
How to prevent executive phishing
There are a few simple ways to mitigate the risk of falling victim to executive phishing, which we’ve compiled for you here in a handy list . . . because we’re nice like that.
Update your software: Make sure your anti-malware software is up to date. Ensure your staff update their laptops or devices when they are given the chance. Outdated or expired protection software is a chink in your organization’s armour.
Knowledge is power: Make sure your staff know what kind of phishing scams are out there and how to recognise them. Conduct training regularly so it’s at the top of their minds, and so they are abreast of any new techniques being employed by malicious parties.
Company devices: Ensure staff are only using company devices for company business. Train them on the dangers of using their personal devices for work.
Access control: If someone doesn’t need access to certain documents or accounts—revoke it (or, you know, don’t give it to them in the first place).
Phishing simulations: This is not to name and shame your staff. It’s to help you understand your risk level, and help people learn to identify phishing scams.
Company culture: It’s one thing to know what to do, it is another to do it. We’re not going to get into all the details here—we’ve already written about it in this ebook on people-centric security.
Password hygiene: This is just cybersecurity 101.
Nudge people: Make sure people practice what you preach with the help of security nudges.
