Comment by Richard Werner, Business Consultant at Trend Micro

“Whaling” is all about the big catch. The targets of cybercriminals are executives of successful companies, high-ranking officials and the military. The aim is to steal information or siphon off large sums of money. Harpoon whaling in particular – a subtype of whaling – is perfidious, as the attackers gather extensive information about their victims in an automated way and rank them using nested AI processes to achieve maximum efficiency.

• “Dear Georg, An enthusiastic thank you for the irresistible job offer and the documents sent – I can’t wait to become part of your visionary team. Your words have touched me deeply and I look forward to achieving great things together. With a radiant smile, Susanne.”

Would you have noticed straight away that this text was entirely AI-generated? Harpoon Whaling refers to a targeted and highly sophisticated way of AI-powered social engineering scams. Typically, the scammers use urgently worded emails that are enriched with personalised information about the high-profile victim. However, this does not only include work-related data, but the criminals are increasingly taking the tactics of romance scammers as a model. Thus, they use subtle (romantic) signal markers such as gender preference, which voice types the victim finds attractive and so on to manipulate the target. If they succeed, the “whale” may even fall in love with an AI-generated profile.

Whale spotted! – AI-powered whaling attacks threaten CEOs, MPs and the military

With AI-powered tools for information gathering, texting and data management, the efficiency of such attacks increases. The fraudsters are able to create deceptively personalised texts in a short amount of time and with very little effort. Whaling attacks on hundreds of executives simultaneously is no problem with this sophisticated method. But to understand why Harpoon Whaling is so effective, one must first compare the methodology to other phishing variants.

Diving deep – how Harpoon Whaling differs from Phishing

In traditional phishing attacks, malicious actors send phishing emails to as many people as possible. Although this type of attack is easily scalable, profit and likelihood of success are low compared to more elaborate types of attacks. Whaling, on the other hand, involves sending a very credibly worded email specifically to a high-ranking person in order to steal large amounts of money or important information. For this purpose, the fraudsters make detailed, targeted and later also person-specific enquiries about the victims before an attack. Attackers interested in financial matters research targets in the financial industry, and those targeting government affairs often select high-ranking officials. However, this type of fraud requires a lot of manual labour, human judgement and manual intervention.

With harpoon whaling, on the other hand, the process of information gathering as well as texting is highly automated, for example through AI-powered tools. This increases the efficiency and threat of such attacks enormously. AI tools such as ChatGPT allow personalised messages from whaling attacks to be combined with the scalability of pishing attacks. As a result, it is to be expected that this method will be used much more frequently than before. It also expands the pool of perpetrators, as the technology enables more people to carry out such attacks.

Can AI-supported harpooning be efficiently defended against?

AI tools such as ChatGPT make it possible to carry out the whaling process on several nested levels of automation. For example, the criminals create particularly manipulative “signal words” that are assigned to certain groups of people. In addition, such a system is able to target identified similarities, identify and prioritise dangerous behaviours according to expected revenue, and continuously adapt whaling messages. ChatGPT has the ability to adaptively coordinate a chain of messages that increases in emotional intensity while remaining congruent with the content of previous messages. In this way, stringent and simultaneously (romantically) escalating conversations can be simulated across multiple contacts.

In the context of Harpoon Whaling, a pre-trained, generative AI language model is also often used. This makes it possible to carry out targeted attacks on various curated distribution lists simultaneously. Such lists are composed of many executives or high-ranking officials, for example “all bank executives”, “all high-ranking police officers” or “all politicians of country X”.

Since these attack variants are new, most traditional defence methods will not work. As a group that is particularly targeted by the attacks, it is advisable for executives to defend themselves with several combined approaches.

Security service providers such as Trend Micro are able to assist in this defensive battle. They use security approaches such as proactive and comprehensive risk management and Zero Trust in a targeted and effective manner. Particularly high-risk behaviours can be assigned and it is possible to predict which executives are most vulnerable to these types of attacks. With new technology, it is thus possible to target and analyse the conversation patterns of those most at risk to draw conclusions about where protective measures and executive training are most needed. So whalers don’t stand a chance.