What is Whale Phishing Scam and how it is becoming a threat to Cybersecurity?

Recently, US-based IT firm’s HR manager was duped into purchasing Apple gift cards worth Rs 10 lakh by cybercriminals posing as the company’s CEO. The fraudsters, using a WhatsApp number with the CEO’s picture, instructed her to buy the cards as gifts for employees. After purchasing and sending the vouchers, it was revealed that the CEO’s identity had been falsified.

An FIR was registered, and Pune Rural police are investigating. Whale phishing attacks, like this one, focus on high-profile individuals or employees handling finances. Pune has seen around 10 such attacks since July last year, by this we can understand the importance of understanding whale phishing scam.

Phishing is a form of social engineering characterised by fraudulent attempts to acquire sensitive information, such as passwords and credit card details, by having a mask as a trustworthy person or business in an official-looking electronic communication, such as an email or an instant message. This cyberattack is designed to deceive individuals into providing confidential information, often leading to identity theft, bank account compromise, or unauthorised use of the victim’s computer for illegal activities.

The roots of phishing can be traced back to the 1990s, during the early days of the internet. A group of hackers, known as the “warez community,” impersonated America Online (AOL) employees to collect users’ personal information and login credentials. This group is credited with carrying out the first phishing attacks and are recognised as the original “phishers.”

Whale phishing, often referred to as “whaling,” is a sophisticated form of phishing that targets high-level executives, corporate officers, and other senior leaders within an organization. Unlike traditional phishing attacks, which aim at a broad audience, whale phishing focuses on those individuals who hold key decision-making authority and have access to sensitive corporate information or funds.

The attacks are typically executed through carefully crafted emails, text messages, or phone calls, designed to deceive the recipient into revealing confidential data or authorizing large financial transactions. Given its highly targeted nature and the potential for significant financial loss, whale phishing poses a particularly dangerous threat to corporations and governmental bodies.

What is Whale Phishing?

Whale phishing, or whaling, is a subtype of phishing that primarily focuses on C-level executives such as Chief Executive Officers (CEOs), Chief Financial Officers (CFOs), and Chief Operating Officers (COOs), as well as other senior leaders who are in a position to authorize financial transactions or the release of sensitive information.

The name “whaling” is derived from the concept of going after “big fish” in this case, high-profile individuals with substantial access to company assets. By targeting executives who may not be as familiar with cybersecurity practices as their IT teams, cybercriminals exploit a vulnerability that can lead to significant financial or reputational damage.

Phishing is not only a cybercrime but also a legal offense with serious consequences in many countries. Various jurisdictions have enacted laws specifically targeting phishing and similar cybercrimes.

Whale Phishing vs. Traditional Phishing and Spear Phishing

It is essential to understand the differences between whale phishing, traditional phishing, and spear phishing, as the terms are often used interchangeably but have distinct meanings in cybersecurity.

• Phishing(Traditional): This is the broadest category and refers to fraudulent communications (via email, text message, or phone) aimed at tricking individuals into downloading malware, providing personal information, or making financial transfers. Phishing typically involves mass-email campaigns that are generic in nature, targeting thousands of individuals with a hope that a small percentage will fall victim.
• Spear Phishing: Unlike traditional phishing, spear phishing is highly targeted, often focusing on specific individuals or departments within an organization, such as human resources or accounts payable. These attacks are personalized, based on detailed research of the target’s role and activities. For example, a cybercriminal may pose as a trusted colleague or business partner to manipulate the victim into making financial transfers or sharing sensitive information.
• Whale Phishing (Whaling): Whale phishing is a form of spear phishing, but it exclusively targets high-ranking executives. Due to the seniority of the target, the attackers craft messages that are more complex, often impersonating another executive or high-level business associate. The end goal is usually to trick the executive into approving significant financial transfers or divulging confidential corporate data.

How Whale Phishing Attacks are Executed?

A typical whale phishing attack follows a detailed and well-researched plan. The attackers often spend weeks or even months gathering information on their target, such as their job title, recent projects, company email addresses, and interactions with colleagues or vendors. Much of this information is readily available through social media platforms like LinkedIn or through business publications and corporate websites.

The key steps in a whale phishing attack usually include:

1. Researching the Target: Cybercriminals thoroughly investigate the target and their organization to gather as much information as possible. This research often includes social media activity, press releases, and even surveillance of ongoing email conversations. In some cases, attackers use spyware or malware to monitor the victim’s digital communications.
2. Crafting the Message: The attackers compose a highly personalized email, text, or phone message that mimics a legitimate request. The message may refer to ongoing projects, recent discussions, or anticipated financial transactions, making the fraudulent communication appear authentic. For example, an attacker posing as the CEO might send an email to the CFO requesting an urgent wire transfer for a supposed acquisition or partnership deal.
3. Creating Urgency and Confidentiality: Whale phishing messages often convey a sense of urgency, pressuring the recipient to act quickly without proper verification. Additionally, the communication may insist on confidentiality, instructing the executive not to discuss the matter with others to prevent “leaks” or avoid delaying the project.
4. Spoofing Email Domains or Hijacking Accounts: To enhance the credibility of the scam, attackers may spoof email addresses to closely resemble those of legitimate colleagues (e.g., changing “company.com” to “cornpany.com”). In more advanced attacks, the hacker may even gain access to the actual email account of a trusted colleague or business partner, making it extremely difficult for the recipient to detect the fraud.
5. Requesting Financial Transfers or Sensitive Data: Once the trust of the executive is established, the attacker will typically request the transfer of large sums of money to an offshore account or ask for confidential information, such as intellectual property or customer data.

Case Studies of Whale Phishing Attacks

Several high-profile cases of whale phishing have underscored the magnitude of the threat and the potential financial fallout from such attacks. For instance:

• Ubiquity Networks (2015): Whale phishing scammers impersonated both the CEO and the Chief Counsel of Ubiquity Networks and convinced the Chief Accounting Officer to make a series of wire transfers amounting to nearly $47 million over a 17-day period. The attackers’ success was attributed to the highly convincing nature of the emails, which mirrored real communications within the company.
• Pathe Film Group (2018): In another case, scammers posing as the CEO of Pathe’s headquarters in France convinced the CEO of the company’s Netherlands office to authorize wire transfers totalling EUR 19.2 million (approximately $21 million). The attackers claimed the transfers were necessary to fund a new acquisition.
• Tecnimont SpA (2018): Scammers impersonating senior executives at the Italian engineering firm Tecnimont tricked the head of its Indian division into transferring $18.25 million to a bank in Hong Kong. The cybercriminals even staged fake conference calls to lend credibility to the fraudulent acquisition scheme.

Landmark Case: National Association of Software and Service Companies v. Ajay Sood & Others

A landmark case in the history of phishing law is the 2005 judgment in National Association of Software and Service Companies (NASSCOM) v. Ajay Sood & Others. In this case, the Delhi High Court declared phishing to be illegal, awarding damages of INR 16 lakh (approximately $20,000 USD) to NASSCOM. The defendants had sent fraudulent emails under NASSCOM’s name to obtain personal data for headhunting purposes. The court’s ruling set a strong legal precedent for combating phishing in India.

Justice P. Nandrajog, noted that the internet had spawned novel methods for defrauding individuals and organisations. He described phishing as a form of internet fraud where a person pretends to be a legitimate entity such as a bank or insurance company to extract personal information from users.

Legal and Compliance Implications

The rise of whale phishing poses financial risks and legal implications for companies that fail to implement adequate cybersecurity measures. Organisations may face regulatory scrutiny and legal liability if they are found negligent in safeguarding sensitive data or failing to implement sufficient cybersecurity protocols. Several jurisdictions, including the United States and the European Union, have enacted stringent data protection laws, such as the General Data Protection Regulation (GDPR), which impose hefty fines for data breaches that result from poor cybersecurity practices.

California’s Anti-Phishing Act of 2005

California was the first state in the U.S. to pass anti-phishing legislation through the Anti-Phishing Act of 2005. This law defines phishing as any attempt to solicit, request, or induce another person to provide identifying information by representing a business without the authority or approval of that business. Under the Act, phishing victims in California are entitled to relief of either the actual cost of damages or up to $500,000.

The law specifies that it is illegal for anyone to use web pages, email messages, or other Internet-based communication to solicit sensitive information by impersonating a legitimate business.

Phishing Under Indian Law

In India, phishing is recognized as a cybercrime and falls under the penal provisions of the Information Technology Act, 2000 (IT Act). The following sections of the IT Act apply to phishing attacks:

• Section 43: Punishes unauthorized access, downloading, or introduction of malicious software into a computer system. If someone disrupts or denies access to computer resources without permission, they can be held liable under this section.
• Section 66: Provides penalties for phishing activities where an individual gains unauthorized access to a victim’s accounts. It imposes a punishment of imprisonment for up to three years or a fine of up to five lakh rupees (approximately $6,800 USD), or both.
• Section 66C: Prohibits the fraudulent use of electronic signatures, passwords, and any other unique identification of an individual. Phishers who impersonate legitimate account holders and perform fraudulent acts are liable for identity theft under this section.
• Section 66D: Punishes individuals for cheating by impersonation through electronic means. This provision specifically addresses the fraudulent creation of websites or communications designed to deceive victims into providing sensitive information.

Under Section 77B of the IT Act, phishing-related offenses are bailable. However, phishing can also be prosecuted under other provisions of the Indian Penal Code, such as Cheating (Section 415), Mischief (Section 425), Forgery (Section 464), and Abetment (Section 107). [Now replaced with BNS].

how can Whale Phishing Attacks be prevented?

While whale phishing attacks are difficult to detect and prevent, organizations can take proactive steps to reduce their risk exposure:

1. Security Awareness Training: Continuous employee training is essential, especially for high-level executives who may not be familiar with the intricacies of cybersecurity. This training should include methods for identifying phishing emails, avoiding oversharing on social media, and confirming unusual requests through a secondary communication channel.
2. Multi-Factor Authentication (MFA): MFA adds an extra layer of security by requiring additional credentials, such as a one-time passcode, in addition to a username and password. This can prevent unauthorized access to email accounts even if passwords are compromised.
3. Phishing Simulations: Conducting phishing simulations for executives helps them apply the knowledge gained in training. These controlled exercises help identify weaknesses in the organisation’s defences.
4. Email Security Tools: Implementing AI-based anti-phishing tools, spam filters, and secure email gateways can help detect and block whale phishing emails before they reach the target. Additionally, antivirus software can help neutralize malware used to conduct reconnaissance or hijack email accounts.
5. Strict Financial Controls: Establishing firm policies that require verification of financial transactions through multiple channels can reduce the likelihood of falling victim to a whaling attack. For example, any financial request should be confirmed through a secondary communication method, such as a phone call.

Conclusion

Whale phishing presents a significant threat to corporations and executives, with the potential for severe financial losses and legal repercussions. Given the targeted nature of these attacks, organisations must be proactive in implementing robust security protocols, educating their executives, and adopting advanced cybersecurity tools to mitigate the risk. While no single solution can fully prevent whale phishing, a multi-layered approach that combines human training with technological safeguards can significantly reduce the likelihood of a successful attack.

Phishing remains one of the most prevalent forms of cybercrime worldwide. According to a global survey titled “Phishing Insights 2021” by Sophos, a cybersecurity company, 83% of IT teams in Indian organizations reported an increase in phishing emails targeting their employees during 2020. This alarming trend highlights the need for stronger cybersecurity measures, both at the organizational and individual levels.

To mitigate the risk of falling prey to phishing attacks, companies must invest in robust cybersecurity training, implement advanced phishing detection tools, and enforce strict data protection policies. As phishing attacks continue to evolve, legal systems around the world must also adapt, ensuring that cybercriminals are held accountable and victims have access to justice.

Drafted by Shreyashi Chaudhary, 3^rd Year, BBA LLB, Symbiosis Law School

Published on October 7, 2024