Targeting the big fish in cyber crime

Publication date: 05 February 2019
Article type: Blogs and Articles

CEOs are a top target when it comes to cyber attacks. Cyber security specialist Paul Holland describes the practice of whaling and outlines how organisations can protect themselves against it.

Whaling‘Whaling’ isn’t a practice you’d normally expect CEOs to be worrying about, but nevertheless, it is on the rise and starting to create ripples in the business community.

No, I’m not talking about the appalling act of spearing orcas but a worrying new trend in cyber attacks.

What exactly is whaling?

Whaling is a unique type of phishing where CEOs, MDs and other C-level executives are specifically targeted. Cyber criminals often mine for information on these high-level employees, hack into their systems and impersonate them to steal money or data.

The practice gets its name from the idea that hackers are targeting the ‘big fish’.


‘C-level executives are a mine of high-value information and data’


Why are CEOs and MDs a prime target?

First and foremost: value. Inevitably C-level executives are a mine of high-value information and data. Just as a burglar would be more likely to target a pristine mansion than a rickety old house, cyber criminals expect to get more out of their efforts when they target a CEO.

Senior executives are likely to have information to which most others would not have access, such as details of contract values and deals in the pipeline. In fact, the lead up to a merger or acquisition is a prime danger zone.

Second, people do what CEOs say. If the boss emails another staff member asking them to pay a bill, they will do it – and that’s often how whalers make their ‘kill’.

It’s also easy for hackers to gather personal information about their victims to make the attack more plausible. CEOs are the ‘public face’ of the business so there’s likely to be a wealth of information about them in online news articles and on social media. Add to this the fact that hackers can easily intercept emails if they’re unencrypted (most are) and you can see how they can get their hands on pretty much anything.

How do cyber criminals do it?

Whalers build up a picture of the CEO and the organisation. They’ll often rake a company’s website to see who’s who and decide who they could trick into doing something on behalf of the ‘CEO’.

They can also intercept emails sent by CEOs and use the contents to plan their attack. For example, they may note that a CEO’s received an invoice from their lawyer for work on a corporate deal. The whaler could recreate that invoice, replacing the bank details with their own, and send it to the finance director (pretending to be the CEO) asking them to pay it.

Unwittingly, the finance director has just transferred £10,000 to a criminal. And he or she still has the real bill to pay.

How can prevent whaling?

The first line of defence is always to educate staff about these type of scams and the warning signs. Hold regular training sessions and teach them to look out for tell-tale signs of a scam, such as poor grammar; advise them to hover over the email address to check it’s the right one.

Another priority is to protect the content of your emails. Sending an email without encryption is like leaving your house without closing the door: a burglar can walk straight in. Sending an email with encryption is better, it’s like closing the door and locking it behind you.

The system not only encrypts emails so hackers can’t penetrate them, but allows users to verify that they are opened by the intended user. It does this by allowing users to set a challenge question that only the real intended recipient knows the answer to.

Ultimately, by coupling technology with training you are in the best position to protect yourself from being a whaling victim.


‘The first line of defence is always to educate staff about these type of scams and the warning signs’


Top tips for CEOs to protect themselves from cyber attacks:

  • Always hover over links before clicking on them – it’ll reveal the URL the sender is guiding you to and if you think it’s suspicious, don’t click on it.
  • Be careful when using a tablet or mobile phone – many of these devices don’t allow you to hover over links so if it doubt, save it for when you’re in front of a computer.
  • Double check the email address – hackers can send emails that look like they’re from someone you know, but in fact they’re a completely different email address.
  • Be suspicious – if in doubt, call the sender to verify they sent the email.
  • Hold regular training with your staff – whalers may email them pretending to be you so tell them what to look out for.

Paul Holland is CEO of cyber security firm Beyond Encryption.