What is a whaling attack (whale phishing)?

Whaling is a sophisticated type of spear-phishing attack in which threat actors either directly target high-level players in an organization or masquerade as them to deceive others.


Also for WindowsiOSAndroidChromebook and For Business

What is whaling?

Whaling is a sophisticated type of spear phishing attack in which threat actors either directly target high-level players in an organization or masquerade as them to deceive others. A common example is either targeting a company CEO or pretending to be the CEO to deceive other essential components of an organization, like CFOs, payroll departments, security teams, or spokespersons.

Cybercriminals may use complex social engineering strategies to execute whaling attacks successfully because they know that modern organization leaders employ various phishing mitigation strategies and tools. Unfortunately, it can be challenging to catch the attackers because they often mask their locations and hide their digital footprints.

What is whaling vs. phishing? 

Before we get deeper into what whaling is or how whaling attacks work, we should probably answer the frequently asked question: what is phishing in cybersecurity? In a nutshell, phishing is when threat actors falsely present themselves as trusted parties to gain the confidence of a victim to steal their money or sensitive information. Contrary to popular belief, phishing attacks aren’t limited to emails. For example, phishing attacks that use text messages are called smishing, and phishing attacks that use voice communications are called vishing.

Phishing emails usually target many Internet users and are easier to spot because threat actors design them for a mass audience. In fact, they send billions of phishing emails every day. However, phishing attacks can also be more targeted. 

What is a spear-phishing attack?

A spear-phishing attack is a more targeted type of phishing attack where threat actors tailor emails to attack a specific group of people like employees at a finance department. They may harvest data from spyware or sources on the Internet like social media pages to collect names, job titles, email addresses, and more to design a persuasive spear-phishing attack. Similar tactics can help hackers launch whaling attacks.

Why is it called a whaling attack?

The terms phishing, spear-phishing, and whaling are all analogous to fishing. Whereas fishers throw out of a fishing line with bait into the water, hoping to catch one of the many fish in the sea, a hacker sends phishing emails to many people hoping to catch at least one victim. Similarly, just like some fishing experts use spears to hunt single fish, threat actors use spear-phishing for specific targets.

As for whales, these mammals are the biggest fish in the sea and a high-value target for some fisher people. Likewise, whaling attacks in cybersecurity also aim at lucrative targets like executives in a company.

How does a whaling attack work?

With high-level targets wary of phishing attacks, hackers use various strategies to make their whaling campaign successful. For example, they may harvest an executive’s LinkedIn page to give their campaign a personal touch. In fact, security breaches are why maybe you shouldn’t use LinkedIn at all. A whaling attacker may also research industry jargon to appear legitimate and exploit a target’s emotions by offering a lucrative business opportunity. After completing intelligence-gathering phase, they may utilize the following whale phishing attack vectors:

  • Emails: As mentioned above, emails tailored to manipulate their targets are a common attack vector and utilize malicious attachments, links, or websites.
  • Phone: The UK National Cyber Security Center noted that attackers might use emails and phone calls in a 1-2 punch strategy where the phone call follows the email to reinforce the phishing.
  • Pretexting: Scammers may befriend a target over social media by pretending to be a potential business partner, love interest, industry peer, or an authority figure like a tax official.
  • Baiting: The attacker may entice a target to use an authentic-looking infected USB drive by leaving it at their office, gym locker or mailing it to their home.

What is the goal of whaling attacks?

  • Money: Attackers may use the spear-phishing attack to trick victims into sending them money through a wire transfer or extort an organization after data exfiltration.
  • Control: A hacker can use stolen credentials for lateral movement in an organization’s network or opening backdoors.
  • Supply chain attack: A supply chain attack is when hackers hit organizations by breaching vulnerable elements in their supply chain. With whale phishing, a cybercriminal could theoretically attack a government by hacking their vendor for a man-in-the-middle attack.
  • Corporate espionage: With a successful whaling attack, a hacker can steal intellectual property or other trade secrets to help competitors, sometimes in another country.
  • Malware: A cybercriminal gang can trick whaling attack victims into installing dangerous malware like ransomware, keyloggers, or rootkits.
  • Personal vendetta: The victim of a whaling attack may suffer a catastrophic loss to their reputation.

What is an example of whaling?

Over the years there have been many whaling attacks, which some media organizations also call CEO email scams. Here are some examples:

2015: A Hong Kong subsidiary of wireless company Ubiquiti Networks Inc. was defrauded out of $46.7 million after a fake email tricked a finance employee.

2015: A finance executive from toy manufacturing giant Mattel wired $3 million to a scammer after receiving a fraudulent request that appeared to be from the new CEO.

2016: An Austrian aerospace manufacturer named FACC fired its CEO after losing $58 million in a whaling email scam.

2016: A Snapchat HR employee leaked employee payroll data after a CEO email scam.

2017: Hackers swindled a small business owner out of $50,000 in a man-in-the-middle whaling attack.

2020: Cybercriminals used a malicious link to attack the co-founder of an Australian hedge fund with fraud, forcing the business to close.

How to prevent whaling attacks?

An organization can lessen the threat of whaling attacks by learning how to detect phishing attempts from hackers, like checking the URL, email address, links, and attachments in an email for red flags. Similarly, the language, tone, and grammar of an email can be a giveaway. Besides anti-phishing training, simulated whaling attacks can also enhance a team’s phishing-detection skills. For extra padding, companies should use cybersecurity software that blocks whaling attack vectors such as scam websites.