What is whale phishing?

Featured image

Share this article

phishing attacks increasing for healthcare providers

Whale phishing is a type of phishing attack in which a cyberattacker’s target is a high-profile executive in an organization.

Because of the victim’s status and access to “wealthy” information, hackers consider him/her a “big phish” or a “whale.”

Let’s explore phishing and whale phishing and its effects on covered entities (CEs) within the healthcare industry. This blog will then conclude with the importance of a strong cybersecurity program that safeguards protected health information (PHI).

The risks of phishing

Phishing is a malicious attempt to trick people into doing something unwillingly or unknowingly. It is a popular tool because employees of any organization are seen as the weakest link, especially within stressful industries like healthcare.

RELATED: Phishing Attacks Wreck Havoc on Healthcare Providers

Types of phishing include business email compromise (BEC), clone phishing, vishing (over the phone), smishing (over text), snowshoeing (a type of spam), and of course whale phishing.

Accordingly, email is the number one utilized threat vector by cyberattackers, making email phishing the most well-known.

Malware (or malicious software) is typically relayed to victims through phishing emails, sent en masse through spam or to targeted individuals through spear phishing.

For the latter, threat actors use social engineering (especially via social media) to convince someone to download or load software, programs, or apps, thereby executing the malware.

The healthcare industry is particularly susceptible because of its valuable data (i.e., PHI) combined with overworked employees, the reliance on smart devices, and the continual use of outdated computer systems.

RELATED: HIPAA Breach Report for November 2020

Initially, phishing emails were easy to spot; today, however, hackers create well-crafted messages. Targeted phishing schemes can trick even the most security-conscious user.

In fact, Verizon’s 2020 Data Breach Investigation Report lists phishing as a top threat.

What is whale phishing?

Whale phishing uses the same targeted tactics as spear phishing. It is similar to BEC in that both types of attacks utilize executives; the difference is that BEC impersonates rather than victimizes these people.

Hackers consider high-profile employees more profitable. And CE executives generally have more information (including PHI storage locations) on their computers, or they at least have admin access to their networks.

Even though these higher-ups generally have more knowledge about cybersecurity, tricking one means a bigger payoff.

Last year, the Children’s Hospital of Eastern Ontario faced a BEC/whale phishing attack but were suspicious due to a similar whaling scam on the City of Ottawa a month earlier. According to the hospital’s chief executive, Alex Munter, “Our finance dept is now getting a couple emails weekly from fake me. So they’re ignoring my electronic messages and doing friendly visits instead.”

Unfortunately, not all CEs respond as such. This is why it is important to focus on prevention and protection against all types of phishing.

The importance of strong cybersecurity

Having a solid cybersecurity program that includes email security is the only way to ensure protection from a breach and ultimately from a HIPAA violation.

HIPAA (the Health Insurance Portability and Accountability Act of 1996) is U.S. legislation created to improve healthcare standards. CEs that experience a breach and do not follow HIPAA guidelines may be found noncompliant and face an astronomical HIPAA fine.

RELATED: Aetna Pays $1M to Settle Three HIPAA Breaches

Organizations should first focus their cybersecurity plan on employee awareness training. Training must be continuous, up-to-date, and constantly tested. Employees should know how to identify a phishing email.

Second, CEs must utilize a HIPAA compliant email solution that blocks phishing emails from even reaching an inbox.

Paubox Email Suite Premium provides this needed inbound security along with protection against domain name spoofing. It also comes with email archiving which is a crucial part of any business continuity plan.

And beyond these, CEs should ensure up-to-date/patched hardware and software, a strong antivirus software, and a firewall, among other things.

Even executives with cybersecurity knowledge need some added protection. Don’t let someone in your organization become a victim of whale phishing; give them the necessary cyber backup so that they can do their job effectively.

Try Paubox Email Suite Premium for FREE today.
Author Photo

About the author

Kapua Iao

Read more by Kapua Iao

Get started with
end-to-end protection

Bolster your organization’s security with healthcare’s most trusted HIPAA compliant email solution

The #1-rated email encryption 
and security software on G2

G2 Badge: Email Encryption Leader Fall 2022
G2 Badge: Security Best Usability Fall 2022
G2 Badge: Encryption Momentum Leader Fall 2022
G2 Badge: Security Best Relationship Fall 2022
G2 Badge: Security Users Most Likely to Recommend Fall 2022
G2 Badge: Email Gateway Best Relationship Fall 2022
G2 Badge: Email Gateway Best Meets Requirements Fall 2022
G2 Badge - Users Most Likely to Recommend Summer 2022
G2 Badge: Email Gateway Best Results Fall 2022
G2 Badge: Email Gateway Best Usability Fall 2022
G2 Badge: Email Gateway Best Support Fall 2022
G2 Badge: Email Gateway Easiest To Use Fall 2022
G2 Badge: Email Gateway Easiest Setup Fall 2022
G2 Badge: Email Gateway Easiest Admin Fall 2022
G2 Badge: Email Gateway Easiest to do Business with Fall 2022
G2 Badge: Email Gateway Highest User Adoption 2022
G2 Badge: Email Gateway High Performer Fall 2022
G2 Badge: Email Gateway Momentum Leader Fall 2022
G2 Badge: Email Gateway Most Implementable Fall 2022
G2 Badge: Email Gateway Users Most Likely to Recommend Fall 2022