You are here

"Whaling" email attacks: How to foil them

“Whaling” email attacks: How to foil them

You receive an email that appears to be from the Bishop, or your clergy person, asking you to take some kind of action – click a link, download an attachment, wire money to a specified account, purchase gift cards and reply with the serial numbers, or simply to reply quickly, like the one I received recently:

Watch out – it could be a form of email “phishing” known as “whaling.”

Whereas “phishing” involves sending a fraudulent email to a large group of people in the hope that a few will respond, “whaling” involves forging communications that look like they’re from the “big phish” in an organization, i.e. the “whale.” For us, this usually means the Bishop or a clergy person, although it could be someone else in authority.

Because these emails are usually crafted more carefully than your standard “phishing” email, they can be more difficult to detect.

We here at Episcopal House have received multiple emails claiming to be from first Bishop Mark, then Bishop Carlye. Sometimes, the clergy and other members have received them as well. A few people have even received text messages purporting to be from the Bishop. There have also been instances of emails sent to church members purporting to be from their own clergy.

Unfortunately, it’s difficult to stop “whaling” attacks. The email accounts in question have not been hacked. Instead, they are being “spoofed” – that is, a fraudulent email account is cleverly configured to look at first glance like a legitimate one. Even if you block the fraudulent email, they’ll just use another. Same thing with text messages from fraudulent phone numbers. It’s like playing “whack-a-mole.”

You can’t stop the senders of “whaling” emails, but what you can do – which is entirely free – is educate the potential recipients. Here are two simple guidelines to help potential recipients avoid being tricked:

Verify the “from” email

The malicious actors behind “whaling” attacks are counting on people springing into action as soon as they see an important name on an email. You can outsmart them by looking beyond the name and checking the “from” email address to see if it matches what you know the alleged sender’s email to be.

If you look at the header info of the email shown above, it’s obvious that the “from” email is nothing like the Bishop’s actual email, which will always use “dioceseofnewark.org.”

If you only see a name, you can cause the “from” email address to be displayed by hovering the cursor over the name.

Confirm requests with a conversation

Even if the email or text seems legit, if a request seems even remotely “off,” don’t act on it until you confirm it with a phone call or face-to-face conversation.

In the case of an alleged message from the Bishop, you may want to reach out to her staff, using their contact info in the Staff Directory. Don’t reply to the suspicious email or text.

Observing these two steps will go a long way in identifying and avoiding “whaling” attacks before they get their hooks in you.

Update 10/9/2019:

Be alert also for emails that appear to have a legitimate "from" address but also have a different "reply-to" address, such as this example:

phishing email

As stated above, never reply to a suspicious email or text, but instead confirm any request with a conversation by phone or in person.

Add new comment

Our comment policy requires that you use your real first and last names and provide an email address (your email will not be published). The Communications Office of the Episcopal Diocese of Newark reserves the right not to publish comments that are posted anonymously or that we deem do not foster respectful dialogue.