What is a whaling attack (whaling phishing)?

How whaling attacks work

The goal of a whaling attack is to trick an individual into disclosing personal or corporate information through social engineering, email spoofing and content spoofing efforts. For example, the attackers might send the victim an email that appears to be from a trusted source; some whaling campaigns include a customized malicious website created especially for the attack.

Whaling attack emails and websites are highly customized and personalized, and they often incorporate the target’s name, job title or other relevant information gleaned from a variety of sources. This level of personalization makes it difficult to detect a whaling attack.

Whaling attacks often depend on social engineering techniques, as attackers send hyperlinks or attachments to infect their victims with malware or solicit sensitive information. By targeting high-value victims, especially CEOs and other corporate officers, attackers might also induce them to approve fraudulent wire transfers using business email compromise techniques. In some cases, the attacker impersonates the CEO or other corporate officers to convince employees to carry out financial transfers.

These cyberattacks can fool victims because attackers are willing to spend more time and effort constructing them due to their potentially high returns. Attackers often use social media platforms, such as Facebook, Twitter and LinkedIn, to gather personal information about their victim to make the whaling phishing attack more plausible.

5 ways to protect against whaling phishing

Defending against whaling attacks involves a mix of employee security awareness, data detection policy and infrastructure. Some best practices for identifying and preventing whaling attacks include the following.

1. Employee awareness

Preventing any type of cybersecurity threat requires every employee to take responsibility for protecting the company’s assets. In the case of whaling phishing, all employees — not just high-level executives — must be trained about these attacks and how to identify them. Although high-level executives are the targets, lower-level employees could indirectly expose an executive to an attack through an email security lapse. Employees should know what social engineering tactics to look for, such as fake email addresses that mimic a trusted email address. For example, if an employee regularly corresponds with an email address that reads “[email protected],” then the hacker might send a malicious email from “[email protected]” to mimic the trusted correspondent and gain the victim’s trust. Employees should also be wary of requests for money through email.

2. Multistep verification

All requests for wire transfers and access to confidential information or sensitive data should pass through several levels of verification before being permitted. Check all emails and attachments from outside of the organization for malware, viruses and other issues to identify potentially malicious traffic.

3. Data protection policies

Introduce data security policies to ensure emails and files are monitored for suspicious network activity. These policies should provide a layered defense against whale phishing and phishing scams in general to decrease the chances of a data breach occurring at the last line of defense. One such policy might involve monitoring emails for indicators of phishing attacks and automatically blocking those emails from reaching potential victims.

Indicators of a potential phishing email include the following:

• The display or domain name differs slightly from the trusted address.
• The email body contains requests for money or information.
• The domain age doesn’t match the domain age of the trusted correspondent.

4. Social media education

As an extension of employee awareness, make high-level executives aware of social media’s potential role in enabling a whaling attack. Social media contains a wealth of information that cybercriminals can use to craft social engineering attacks like whale phishing. Executives can limit access to this information by setting privacy restrictions on their personal social media accounts. CEOs are often visible on social media in ways that telegraph behavioral data that criminals can mimic and exploit.

5. Anti-phishing tools and organizations

Many vendors offer anti-phishing software and managed security services to help prevent whaling and other phishing attacks. However, social engineering tactics remain prevalent because they focus on exploiting human error, which exists with or without cybersecurity technology.

The Anti-Phishing Working Group (APWG) is an organization dedicated to cybersecurity and phishing research and prevention. It provides resources for companies affected by phishing and conducts research to provide information on the latest threats. Companies can also report a suspected threat to APWG for analysis.

Differences among phishing, whaling phishing and spear phishing

Phishing attacks, whaling phishing attacks and spear phishing attacks are often confused. All are online attacks targeting users to gain sensitive information or to use social engineering to coax the victim into taking some harmful action.

A whaling attack is a special form of spear phishing that targets specific high-ranking victims within a company. Spear phishing attacks can target any specific individual. Both types of attack generally require more time and effort on the part of the attacker than ordinary phishing attacks.

Phishing is a broader term that covers any attack that tries to fool a victim into taking action, including sharing sensitive information, such as usernames, passwords and financial records for malicious purposes; installing malware or ransomware; or completing a fraudulent financial payment or wire transfer.

While ordinary phishing email attacks usually involve sending emails to a large number of individuals without knowing how many emails will be successful, whaling email attacks usually target one specific individual at a time — typically a high-ranking individual — with highly personalized information.

Examples of whaling attacks

In 2016, the Belgian Crelan Bank lost $75 million in a whaling attack centering on CEO fraud, when its CEO was whaled during a routine internal audit. The attack was an example of CEO fraud.

In a more recent example, Australian hedge fund Tessian lost $8.7 million in 2020 when hackers sent out a fake Zoom invitation — a technique that flourished during the COVID-19 pandemic — and one of the fund’s co-founders opened it. The bogus Zoom invitation installed a malicious link that created fake invoices in the fund’s email system.

In 2024, a human resources executive at Pune IT was duped into purchasing more than $11,000 worth of Apple gift cards for all the company’s employees by cybercriminals posing as the company’s CEO.

Fast Company predicted an increase in whaling attacks in 2024, citing the Okta attack, in which hackers accessed customers’ uploaded browser files. The magazine explained that the increase is a result of breakthroughs in new technologies that can penetrate multifactor authentication. Fast Company also predicted increases in spear phishing due to artificial intelligence.

According to David Fine, supervisory special agent at the FBI, people are the key to both carrying out and defending against phishing attacks.