Cygilant Blog

Spearphishing and Whaling: How Email Verification Can Save Companies Millions

Posted by Kevin Landt on Jul 1, 2016



Phishing attacks, a topic EiQ has previously discussed, remain one of the chief causes of data breaches. Even small businesses find themselves on the receiving end of these scam emails, which are designed to trick readers into taking actions that compromise their cybersecurity. Spearphishing and whaling accomplish the same ends with even more devious and targeted tactics. Here's how they work, and how you can protect yourself and your business.


Phishing becomes spearphishing when the deceptive email is targeted at a particular recipient. Instead of sending a generic bogus email to any and all receivers, criminals tailor a message for a specific individual or organization.

Unit 61398

In May 2014, the Department of Justice indicted five members of the Chinese military for hacking into several large U.S. corporations using, among other techniques, spearphishing and whaling. These individuals were believed to be part of the secretive Unit 61398. In 2015, China finally admitted to conducting cyber attacks, but the Unit 61398 case is currently ongoing, so the full story has yet to conclude. However, the indictment provides a great deal of information about the Chinese defendants' alleged spearphishing and whaling efforts.


According to an overview section of the indictment, "the co-conspirators used e-mail messages known as 'spearphishing' messages to trick unwitting recipients into giving the co-conspirators access to their computers. Spearphishing messages were typically designed to resemble e-mails from trustworthy senders, like colleagues, and encouraged the recipients to open attached files or click on hyperlinks in the messages. However, the attached or linked files, once opened, installed 'malware'—malicious code—that provided unauthorized access to the recipient's computer."


One company that was tricked was U.S. Steel, the largest steel business in the country. According to the court document, "Defendant SUN sent a spearphishing e-mail purporting to be from U.S. Steel's Chief Executive Officer to approximately 20 U.S. Steel employees [...] The e-mail contained a link to malware, which some of the recipients clicked on, installing malware on computers located in the Western District of Pennsylvania and providing Defendant SUN and his co-conspirators with backdoor access to U.S. Steel's computers."


The defendant's email appeared to come from the company's CEO, which is what puts the "spear" in this phishing attack. The compromise was particularly bad for U.S. Steel since they were in competition with Chinese steel manufacturers.


A spearphishing attack targeting a high-level executive is known as a whaling attack.


According to the indictment, the Chinese hackers used whaling against aluminum producer Alcoa Inc: "Defendant SUN targeted senior Alcoa managers with spearphishing messages designed to trick the recipients into providing SUN with access to the company's computers."


Because senior managers were targeted, this case is an example of whaling. It was particularly problematic for Alcoa because they had just announced a partnership with a Chinese state-owned aluminum company. The attack had led to the Chinese military gaining remote access to Alcoa's computers.

Email Verification Techniques

What could U.S. Steel or Alcoa have done to protect themselves? Education would have been the most important step. Companies should hold trainingsessions to educate employees about phishing, and teach them to use phone calls to verify suspicious emails.


But digital security tools are also available. Employees can use email verification websites to check if an address from which a message is sent actually exists on a server somewhere. However, such websites can only accomplish so much, and cannot be fully trusted. If a real digital solution is sought, companies should use public key encryption to authenticate emails. Unfortunately, implementing public key encryption company-wide can be prohibitively complex. Overall, training sessions that educate employees about spotting suspicious emails are still the most effective and feasible approach.


Whatever cyber defences are chosen, protecting against phishing is only an endpoint security measure. Companies should also investigate network security solutions such as managed security services, which can catch unusual activity on network servers and fix any vulnerabilities before a widespread attack can take place.


More and more, organizations that were previously understaffed, underbudgeted, and overwhelmed are finding that EiQ’s managed security services that combine the best people, process, and technology are a welcome change from going it alone. EiQ is transforming how mid-market organizations build enterprise-class security programs. Acting as an extension of our customers’ IT teams, EiQ’s SOCVue provides continuous security operations based on best-of-breed technology at a fraction of the cost of alternative solutions. EiQ is a trusted advisor to organizations that need to improve their IT security and compliance posture by protecting their infrastructure against cyber threats and vulnerabilities.


Sign Up for Free Vulnerability Assessment Scan


Feature Photo: Dragon Images /

Tags: Cyber Attack, Cybersecurity, InfoSec, Phishing, Whaling, Email

Most Recent Posts

Subscribe to Email Updates