What Is a Whaling Attack and Why Should You Be Worried?

Written by Sydney Butler
Last updated September 28, 2021

You might have heard of phishing and even spear phishing, but what about whaling? Despite these names' nautical themes, they all refer to various types of cyberattacks that aim to hook you as the hapless fish.

Whaling attacks can be particularly dangerous. But before we get into what this is all about, you'll need some background on the other types of online attacks that make up the main parts of whaling.

A Recap on Phishing and Spear Phishing

It's almost certain that you've seen a phishing attack in action in your own daily life. Basically, the attackers send an email to the potential victim, pretending to be someone the target does business with - usually a bank or a popular brand or online service, such as Facebook. The email content will vary, but they all try to trick you into giving up personal information or login credentials.

A common tactic is to put a link in the email that takes you to a fake version of the real website. You try to log in to that fake site with your real credentials, which the attackers then grab and use on the real site.

Spear phishing is a more sophisticated form of phishing. With normal phishing, the attackers don't know who you are. At least not personally. Your email address has simply been scrapped as part of the list. The phishing email is sent out to millions of people, with the hope that some small percentage of those spammed would take the bait.

With spear phishing, the attackers know exactly who they are attacking. This makes it easier for them to fool the target since they can pretend to be someone the person knows. If you're convinced a trusted person is mailing you, your defenses will be down.

Spear phishing is typically used to target people with specific information the attackers want, which isn't necessarily login credentials. The information sought in a spear phishing attack is often itself information that will be used in subsequent attacks on another target.

CEO Fraud Attacks Explained

CEO fraud attacks are related to spear phishing. Here, the attackers pose as an authority figure, such as the CEO or CFO of a company. Often, this is to brow-beat low-ranking employees into making wire transfers into accounts without asking any questions.

It's one of the reasons checks and balances must always be enforced, even if instructions come from a top-ranking person.

The Mechanics of a Whaling Attack

There are two main components to a whaling attack. First of all, there is the "whale" itself. This is a person who is fairly high up in the organization - usually, someone who has the authority to move around and make payments. Alternatively, it might be someone who has access to sensitive information, such as HR records or customer data. Anything that a potential hacker might find valuable.

The second part is the role that the attacker takes on. The trick with whaling is that you have to pretend to be even bigger than your target. So if your target is a senior accounts manager, you should be the VP of accounting, for example.

C-level executives are often impersonated, which is why whaling can be seen as a hybrid of phishing and CEO fraud. However, it stands to reason that hackers would not choose to impersonate someone that the victim would know too well since it would make it easier to detect them.

Before attempting the hunt, the hackers spend much time preparing. They will research both the target and the person they plan to impersonate. Preparation may also involve creating fake websites, spoof email addresses, and anything else they need to fool their mark.

When the attack is executed, it might be elaborate, with multiple stages leading up to the final payoff. Otherwise, it could be a hit and run - a quick email asking for information or transaction approval, which is designed not to raise any alarms because of how plausible and common the request is.

How to Spot a Whaling Attack?

Whaling attacks are tougher to spot than regular phishing attacks because of how much research the attackers put into it, which means that the main warning signs are technical in nature. That is, the email address will be spoofed. Any links to external sites are likely to be fake as well.

On the social engineering side, the email might have strange language use or feel weird somehow within the existing corporate culture. New C-level executives might be at higher risk of impersonation since current employees don't know them well enough to spot when something is off. A new senior from outside the company might not yet know standard procedures or how email communication is typically handled, which helps disguise an attacker's lack of insider knowledge.

How to Prevent and Deal With Whaling Attacks

So how can you mitigate against whaling attacks? The first and most important step is cybersecurity training for key seniors who are likely to be targeted. Provide them with a checklist of things to review from a technical standpoint whenever they are asked to move money or hand over sensitive information that should not be public.

Flagging outside emails automatically can help prevent spoofed addresses from fooling targets in the organization as well. Emails that contain URLs should also have warnings attached to them.

There should also be a two-factor process for certain sensitive requests. This can be as simple as a phone call to the person to confirm that they did indeed send the message. More sophisticated methods, such as communication over private encrypted chat, can also be used to ensure that whaling emails won't just be obeyed without question.

People who are likely to be impersonated, such as C-suite executives, should also be trained in good privacy habits, such as limiting what they share on social media. As always, it's people - and not technology - that prove to be the largest security weakness.

For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: