If a phishing attack casts a wide net to employees at all levels of an organization it follows that a whaling attack focuses on reeling in the big fish. In this case the ‘whale’ is a higher-level executive within the company. The goal is network access, and, ideally, access to C-suite executive information.
Here the hacker takes his or her time and does initial background research on their target to be able to send the whale something relevant the C-level has a very high chance of acting upon.
One example is an executive at a Fortune 500 company that sells products directly to consumers. In this case the CEO is famous for being very public about how his company offers the best customer service in the industry. Knowing this, the would be attacker sent the CEO an email containing a customer complaint that appeared to be from the Better Business Bureau. The CEO saw this in his inbox preview window and, concerned about a potential public relations problem, opened the email to read it. Only, the email was not from the Better Business Bureau and the act of opening it gave the hacker enough access to inject malware into the CEO’s computer without initial detection.
Another example of this type of attack happened to the VP of Human Resources at a major technology company. By researching available, public social media, the hacker learned this VP has 5 children. The hacker then sent a bogus email from a major US healthcare insurance provider touting a new, inexpensive benefits plan for families with 4 or more children. The HR professional saw this in his inbox preview window and for professional and personal reasons, opened the email and thus exposed him to malware injection.
This is a particularly lucrative and growing technique helped, in part, by the explosion of public personal information available via social media and the reality that many C-suite executives are not as computer literate as middle and lower-level employees.