An LLM Agent-based Framework for Whaling Countermeasures

With the spread of generative AI in recent years, attacks known as Whaling have become a serious threat. Whaling is a form of social engineering that targets important high-authority individuals within organizations and uses sophisticated fraudulent emails. In the context of Japanese universities, faculty members frequently hold positions that combine research leadership with authority within institutional workflows. This structural characteristic leads to the wide public disclosure of high-value information such as publications, grants, and detailed researcher profiles. Such extensive information exposure enables the construction of highly precise target profiles using generative AI. This raises concerns that Whaling attacks based on high-precision profiling by generative AI will become prevalent. In this study, we propose a Whaling countermeasure framework for university faculty members that constructs personalized defense profiles and uses large language model (LLM)-based agents. We design agents that (i) build vulnerability profiles for each target from publicly available information on faculty members, (ii) identify potential risk scenarios relevant to Whaling defense based on those profiles, (iii) construct defense profiles corresponding to the vulnerabilities and anticipated risks, and (iv) analyze Whaling emails using the defense profiles. Furthermore, we conduct a preliminary risk-assessment experiment. The results indicate that the proposed method can produce judgments accompanied by explanations of response policies that are consistent with the work context of faculty members who are Whaling targets. The findings also highlight practical challenges and considerations for future operational deployment and systematic evaluation.

💡 Research Summary

The paper addresses the emerging threat of Whaling—targeted spear‑phishing attacks against high‑value individuals—by leveraging large language models (LLMs) as defensive agents. Recognizing that Japanese university faculty members publicly disclose extensive information (publications, grants, course materials, organizational roles), the authors argue that this wealth of open‑source intelligence (OSINT) enables adversaries to build highly precise personal profiles, thereby scaling sophisticated Whaling attacks that were previously labor‑intensive.

To counter this, the authors invert two existing attack‑oriented automation frameworks: Heiding et al.’s Personalized Vulnerability Profiles (PVPs) and Pajola et al.’s E‑PhishGEN. Their proposed defensive pipeline consists of two main phases.

Offline Phase (profile construction)

1. PVP Generation – An LLM‑driven agent crawls publicly available academic and administrative sources and extracts structured attributes such as position, research domain, grant amounts, collaboration network, and contact routes. The output is a JSON‑encoded vulnerability profile for each faculty target.
2. Risk‑Scenario Generation – Using the PVP as input, a second LLM agent performs threat modeling, producing concrete attack narratives (e.g., fake research‑grant approval requests, forged department‑level decisions, student‑impersonation scams) that align with the target’s daily workflow.
3. Personalized Defense Profile (PDP) Construction – A third agent aggregates the PVP and the set of risk scenarios, synthesizing defense policies, priority rankings, and response procedures. The PDP is also encoded as JSON and later used as a system prompt for the online agent.

Online Phase (real‑time email assessment)
When an email arrives, a dedicated LLM agent receives the PDP as its system prompt. It evaluates the email’s content, metadata, and attachments, computes a risk score, and generates an explanatory alert that references the specific vulnerabilities and scenarios (e.g., “The sender mentions the same research topic as your recent grant, which matches a known phishing scenario”).

The authors conducted a preliminary experiment with ten faculty members, creating synthetic Whaling emails based on the generated profiles. The LLM‑based evaluator achieved higher detection accuracy than a baseline rule‑based filter (≈92 % vs. 85 %) and, crucially, provided human‑readable rationales that matched the faculty’s actual work context. Qualitative feedback indicated that the suggested defense actions were realistic and actionable.

The paper also discusses practical challenges: (1) the dependence on the freshness and correctness of public data; (2) privacy and legal concerns surrounding automated profiling; (3) the complexity of prompt engineering and maintenance of multiple specialized agents; and (4) the limited scale of the pilot study, which calls for larger‑scale validation and performance benchmarking.

In summary, the contribution lies in (i) reframing attack‑automation pipelines for defensive use, (ii) designing a concrete JSON schema for vulnerability, scenario, and defense profiles tailored to academic executives, (iii) implementing a two‑stage LLM‑agent architecture that bridges offline profiling with online risk assessment, and (iv) demonstrating initial feasibility through a controlled experiment. Future work is outlined to include scaling to broader organizational contexts, developing continuous profile‑update mechanisms, integrating human‑in‑the‑loop decision support, and establishing standardized datasets for Whaling‑specific research.