Protecting a whale in a sea of phish

Authors

Daniel Pienta, Baylor University, USA
Jason Bennett Thatcher, The University of Alabama, USA
Allen Johnston, The University of Alabama, USA

Document Type

Research Article

Abstract

Whaling is one of the most financially damaging, well-known, effective cyberattacks employed by sophisticated cybercriminals. Although whaling largely consists of sending a simplistic email message to a whale (i.e. a high-value target in an organization), it can result in large payoffs for cybercriminals, in terms of money or data stolen from organizations. While a legitimate cybersecurity threat, little information security research has directed attention toward whaling. In this study, we begin to provide an initial understanding of what makes whaling such a pernicious problem for organizations, executives, or celebrities (e.g. whales), and those charged with protecting them. We do this by defining whaling, delineating it from general phishing and spear phishing, presenting real-world cases of whaling, and provide guidance on future information security research on whaling. We find that whaling is far more complex than general phishing and spear phishing, spans multiple domains (e.g. work and personal), and potentially results in spillover effects that ripple across the organization. We conclude with a discussion of promising future directions for whaling and information security research.

DOI

10.1177/0268396220918594

Recommended Citation

Pienta, Daniel; Thatcher, Jason Bennett; and Johnston, Allen (2020) "Protecting a whale in a sea of phish," Journal of Information Technology: Vol. 35: Iss. 3, Article 11.
DOI: 10.1177/0268396220918594
Available at: https://aisel.aisnet.org/jit/vol35/iss3/11