Gone phishing The latest tech is enabling scammers to mount ‘whaling’ attacks on high-net-worth individuals In mid-2024 Sygnia CEO Magda Wierzycka took to social media to reveal that her insurers had contacted her, telling her that they had had a ‘data breach’ where sensitive personal information, including her residential address, contact details and ID number, was disclosed to presumed scammers. ‘They don’t know who did it,’ she wrote on X. The data breach had occurred via Discovery Insure, which divulged that Wierzycka was one of 19 people whose personal details had been obtained by hackers. ‘Through Discovery’s audit and forensic screenings, we detected a scam where an impersonator called the Discovery Insure call centre requesting the policy details of Discovery Insure clients,’ Discovery told TechCentral. ‘We identified 19 instances where the impersonator passed the verification process.’ Discovery was unsure how the hacker got details regarding its customers. ‘The impersonator most likely obtained personal information from historical third-party data breaches, outside of Discovery, and used the personal information to attempt to pass Discovery Insure’s identification and verification screening,’ the company stated. Wierzycka had become (albeit in a roundabout fashion) a victim of a focused type of phishing attack known as ‘whaling’. ‘Whaling attacks, often referred to as CEO fraud or executive phishing, are sophisticated cyberthreats targeting an organisation’s high-profile individuals,’ according to a research paper by Cisco. ‘Whaling attacks are particularly challenging to detect because they often don’t contain the usual red flags of phishing attempts, such as malicious attachments or links. Instead, they rely on social engineering and the perceived authority of the supposed sender to trick the recipient. This subtlety often allows them to bypass traditional email security measures, making them a dangerous and effective form of cyberattack.’ Cisco says the practice of phishing, which has been around for over 30 years, has evolved to include spear phishing and now whaling. ‘Spear phishing and whaling are very targeted attacks,’ Gerhard Swart, chief technology officer at cybersecurity company Performanta told IT Online. ‘Here’s how to tell the difference. If an email pretends to be from someone it’s not but is very generalised, that’s phishing. If the email was designed to target a specific person by using details only applicable to them, that’s spear phishing. And if the person is being targeted for their wealth and assets, that’s whaling.’ Cisco details how hackers have introduced changes over the years in their phishing tactics. ‘Early attackers used generic messages in their attempts. Now they conduct thorough research to personalise whaling emails, making them appear highly credible. They use details from social media, company announcements and press releases to craft convincing narratives. Instead of a single deceptive email, attackers now engage in prolonged interactions and work to build trust over time before making their fraudulent request. This approach makes it harder for victims to recognise they’re under attack. Modern attackers rapidly learn to leverage the latest technology for their own means. For instance, generative AI is used to craft emails making them highly convincing. Phone-call scammers have also adopted AI technology to clone high-profile voices for their impersonations.’ The organisation says that instead of creating fake accounts, ‘attackers increasingly compromise actual accounts of colleagues or subordinates to launch their whaling attempts, making their deceptive emails more credible’. It adds that modern whaling attacks are designed to evade traditional security measures. ‘For example, instead of using malicious links or attachments that can be flagged, attackers might use secure document-sharing platforms or request direct replies.’ Whaling attacks are highly targeted and exploit the position of executives, who often have significant authority, access to sensitive information and control over financial transactions, according to Maher Yamout, lead security researcher at Kaspersky. ‘They are the proverbial “big fish” in the business world, hence the term “whaling”. Unlike broader phishing schemes, whaling attackers invest time in tailoring their approach, leveraging executive profiles and specific company details to generate their fraudulent messages, making them seem more believable. The fraudulent communications that are sent appear to have come from someone specifically senior or influential at their organisation – such as the CEO or finance manager. This adds an extra element of social engineering into the mix, with senior staff often reluctant to refuse a request from someone they deem to be very important.’ Yamout says whaling attackers gather information about their targets exploiting common sources of publicly available data. ‘Attackers rely on open-source intelligence, harvesting information from social media platforms like LinkedIn, company websites, press releases and even online interviews. These sources provide a wealth of details, including job titles, business relationships and professional responsibilities. ‘Using this data and artificial intelligence-based tools, attackers create convincing narratives, significantly reducing the likelihood of detection by executives. Current trends include attackers using artificial intelligence to mimic executive communication styles and language patterns. These cybercriminals are increasingly employing personalised emails, often masquerading as urgent requests from CEOs or other senior figures. Another development is the use of compromised or spoofed accounts to add legitimacy to their messages, enabling them to bypass traditional security mechanisms.’ Alas, he says, executives make common cybersecurity mistakes and often exhibit behaviour that makes them more susceptible to whaling attacks. ‘Top executives are often very busy. They receive a lot of emails and notifications, including urgent ones, so they can overlook fraudulent messages. Also, they often share a significant amount of professional information online. This makes them highly vulnerable to these targeted attacks. Common mistakes include neglecting to verify urgent requests via secondary communication channels, using weak passwords and reusing passwords across accounts. Additionally, the lack of regular cybersecurity awareness training among executives can leave them ill-prepared to spot these increasingly sophisticated attacks.’ Technical safeguards such as email filters are often breached by the scammer to reach executives. They create content that avoids trigger words commonly flagged by spam filters, and also commonly use compromised email accounts as well as legitimate services and encrypted attachments to evade detection. By maintaining a highly personalised approach, these cybercriminals significantly increase the likelihood of bypassing technical defences. Yamout says there are some effective strategies organisations can adopt to protect their executives from whaling attacks. ‘Organisations should adopt a comprehensive, multi-layered approach that includes frequent, tailored cybersecurity awareness sessions. They should strengthen authentication by enabling two-factor authentication [2FA] for sensitive accounts and transactions. They should enhance email security by implementing advanced email filtering solutions with AI-based anomaly detection. ‘It’s also important to improve verification processes by updating policies to require the independent verification of high-stakes requests – such as financial authorisations – via phone or other communication methods. Lastly, minimise the sharing of information.’ That final instruction is perhaps the most illustrative. With the growing availability of online personal information, cybercriminals are increasingly targeting specific groups. These include high-ranking executives, workers with access to sensitive data, and employees with roles that position them close to either positions of power or a company’s computer networks. Certain industries, such as financial services, healthcare as well as government departments are particularly attractive due to the nature of the information and resources they handle. ‘The main thing to understand about spear phishing and whaling is that these attacks require more planning and preparation,’ says Swart. ‘If someone has special access to systems and information, they are more likely to be a target. But the people around them can also be targets. Advisers, assistants, even people’s children have been targeted in attempts to get closer to the main victim.’ By Patrick Farrell Image: iStock