And speaking of fishing, this brings to mind the homophonic term phishing that has become extremely popular — no, notorious — throughout the world. Phishing is a type of computer or network security threat that falls under the larger category of threat called social engineering. You can read more about social engineering and phishing in our KnowledgeBase article Security Measures vs Phishing.

Whaling is a security threat that works almost like phishing, except that: in phishing the attack is directed at thousands of users (like a single fishing line thrown into a school fish) with the hope that a number of them will become actual victims instead of just candidate victims; in contrast, a whaling attack is targeted at one high profile user (the big “fish” or whale) who is key to the big secrets under his/her control. The modus operadi is the same, only the count and profile of the targets vary.

Here’s one whaling scenario. John Doe is the CEO of ImaginaryConglomerate, an organization that pays him millions of dollars in salaries and perks. His profile is published in the organization’s website. Joe Scammer, a whaling expert, learns from the ImaginaryConglomerate website that John Doe loves to play golf. Mr. Scammer also learns from other sources that John is not that good in golf and often gets to pay for the beer after games with buddies at the club. From these bits of information, Mr. Scammer crafts a clever whaling message and sends it to Mr. Doe’s computer. For the sake of simplicity, let’s just say the message is worded like this: “Impress the ladies and gentlemen in the fairway with your winning drives and putts. This jealously guarded ebook ‘Golf Secrets PGA Champs Won’t Tell You’ is available to a lucky few only — and for a very limited time … so limited that the offer expires within the next 12 hours. Click this link now.”

Not all people fall for this type of message. But who knows John Doe just might. After all, his being top executive at ImaginaryConglomerate has not helped him mend his shattered ego at the golf club. But unknown to him, clicking the link redirects to Mr. Scammer’s website and will ask him for his credit card number (along with other juicy bits of sensitive information) in exchange for a copy of the jealously guarded ebook. Or worse… clicking the link might actually activate malware that has surreptitiously slipped into his computer and compromise the security of his company’s entire system because of his high-level access privileges.

John Doe has just been socially engineered through a technique called whaling.

To avoid falling prey to whaling, it helps to educate high profile users like John Doe on the existence of whaling and other social engineering attacks. It helps even more to have regular security audits on executive’s computers to make sure they are free of malware and other threats that could be triggered by actions suggested in a whaling message.

The first paragraph of this post says that whaling is different from the controversial business of catching whales for profit. On second thought, the two may in fact be similar.