Whaling Phishing: 4 Important Things To Know in 2020


A form of phishing, cyber whaling is targeted at seniors and top-most executives, people at powerful positions, working in an organization. Target whales are picked up by cybercriminals based on their level of seniority and authority in the company. 

The targeted group of such whale phishing attacks is usually CEOs and CFOs of the organization. In 2014, it was reported that about $215 million was lost by organizations in the US. In the next three years, the value of these attacks rose by about 200% in 2017. Quite alarming, at the rate, the whaling attacks are on the rise!

  1. What is a Whaling Phishing Attack?
  2. Examples of Whale Phishing Attack
  3. Defending Against Whale Phishing
  4. Whaling Vs Spear Phishing

1. What is a Whaling Phishing Attack?

Let us start by first understanding the whaling email definition.

Whale phishing is a technique where attackers adopt innovative methods to reach out to high-profile targets in an organization. Since the targeted group is one of the most educated, experienced, trained about security awareness and senior-most people in the company, attackers know that they cannot use the same-old tried-and-tested phishing methods.

Whale phishing definition – also famously called CEO Fraud, email ids are spoofed just like in phishing to trick a specific targeted group. 

The technique used by attackers is to create and send a whaling email to give the impression to the sender that it is from someone who is known to the person. This technique is famously called the social engineering technique. The email seems to be so honest and trustworthy that the receiver usually does not doubt the credibility of the email. Attackers of whale phishing use personal information that they gather from the social media accounts or other public profiles online of the target. 

What makes the whaling cyber attacks dangerous is that the attacker, pretending to be a trusted and known person of the receiver, asks for sensitive data that is related to employee records like payroll, or personal data like requesting the recipient to authorize a bank transfer. In some cases, the attacker sends a link via the email which when clicked instantly gets malware installed on the receiver’s computer.

2. Examples of Whale Phishing Attack

The notoriety of a whale phish email can be understood from the fact that the attacker is knowledgeable and acts like someone very close to the recipient. Here are a few examples of how whaling online fraud is aimed at the top executives with the potential to make a deep dent in organizations. 

  1. A classic example of a whaling email example – In 2015, one top finance personnel working with Mattel, a globally renowned toy company, received an email to get $3 million wired to a China-based bank. The act was superbly executed by cyber criminals with the executive never doubting the intent of the email, even for once. Wire transfer of the tune of $3 million required two signatures – one, of the CEO, and the second, of the finance person. The transfer already had the signature of the newly-appointed CEO, so there was no reason for the finance person to suspect, and he signed. Later on, when the finance person checked with the CEO, the scam came to light – the CEO had never authorized the wire transfer.
  2. In 2016, Snapchat executives at the payroll department received an email that appeared to be from the CEO. It asked the executive to send information about the payroll of employees.
  3. In another whaling cybersecurity attack, many top executives from different industrial verticals received a subpoena purportedly from the United States District Court to appear for a civil case, before the jury. The emails featured precise details about their business, giving no reason for people to suspect the intention. The email then requested the receivers to click on a link. Those who clicked it got their computer system infected with malware.

3. Defending Against Whale Phishing

  1. Educating top officials about phishing attack whaling is the best way to pre-emptively defend against such attacks. Four things that the target group needs to know include –
  • Check the email id as in phishing emails, and the email id will be slightly spoofed. It is good to check the spelling of the id.
  • The tone of the email will have urgency; sometimes, there would be a threatening tone too.
  • Any request for money or authorization of fund transfer should be checked for authentication.
  • Clicking unwarranted links should be a strict no-no.

2. Security training programs

The essence and whale phishing meaning needs to be informed via awareness training programs that are explicitly curated for whaling targets in the organization. The program should throw light on the type of information being shared on social media accounts by the target group. 

3. Review existing policies

Corporates must have consistent in-house policies to keep reviewing their existing SOPs related to financial transfers or the sharing of sensitive information and data. There also needs to be a clear-cut way to deal with urgent requests from senior management and executives.

4. Security software to defend against whale phishing

There are different options to make your system strong and secure. Installing anti-spam, anti-phishing, and anti-malware software programs help block emails; use of the latest email scanning programs can be done; anti-impersonation technology can be used to stop attacks that are malware-less; DNS authentication technology can be used for identification of legitimate email ids and sources. 

4. Whaling Vs Spear Phishing

Comparing spear-phishing and whaling attacks online

Spear phishing and whaling are similar because these are different forms of online attacks by cybercriminals. The method used for both the methodology is popularly called social engineering.

However, there is a difference between both. The basis to define whale phishing is that it is meant for a particular group of targets. In other words, it means that Whale phishing is a specialized form of spear-phishing that victimizes only high-profile, top executives, senior management, or key people in an organization. Spear phishing, however, is targeted at normal individuals. 

A significant similarity between both the attacks is that both need to be planned well by the attacker. Unlike ordinary online attacks, here the attacker needs to work hard in preparing a convincing plot. It takes time.


When a Whale phishing attack is suspected, it entails immediate action. One of the first things to do is to disconnect the computer system from the internet and local network. Your IT department needs to go on a spree of activities that start from issuing a warning to other whaling targets, scanning the system for malware or virus attack, and informing the Cybersecurity cell about the attack. 

Whaling attacks are common now, and the threat is looming large. This is why it is essential that all the key departments and people stay alert and aware, always.

Also Read

Related Articles

Please wait while your application is being created.
Request Callback