Whale phishing, or whaling, is a type of phishing attack that targets high-level corporate officers with fraudulent emails, text messages or phone calls. The messages are carefully written to manipulate the recipient into divulging sensitive corporate data and personal information or authorizing large payments to cybercriminals.
Whale phishing targets include C-level executives (CEOs, CFOs, COOs), other senior executives, political office holders and organizational leaders who can authorize large payments or wire transfers or the release of sensitive information without approval from others. These targets are referred to as whales after the slang term for customers (or gamblers) who have access to more money than the average person.
It’s important to understand how phishing, spear phishing and whale phishing are related, primarily because the terms are often used interchangeably, incorrectly or without context.
Phishing is any fraudulent email, text message or phone call designed to trick users into downloading malware (through a malicious link or file attachment), sharing sensitive information, sending money to criminals or taking other actions that expose themselves or their organizations to cybercrime.
Anyone with a computer or smartphone has probably received a bulk phishing attack, which is basically a form message that appears to be from a well-known business or organization, describes a common or credible situation and demands urgent action, such as Your credit card has been declined. Please click the link below to update your payment information. Recipients who click the link are taken to a malicious website that might steal their credit card number or download malware to their computers.
A bulk phishing campaign is a numbers game. Attackers send messages to as many people as possible, knowing that some percentage will be tricked into taking the bait. One study detected over 255 million phishing messages during a six-month period in 2022. According to IBM’s Cost of a Data Breach 2024 report, phishing was the second most common cause of data breaches in 2024 and the most common method for delivering ransomware to victims.
Spear phishing is a phishing attack that targets a specific individual or group of individuals within an organization. Spear phishing attacks are typically launched against mid-level managers who can authorize payments or data transfers, including accounts payable managers and human resources directors, by an attacker masquerading as a coworker with authority over the target, or as a colleague (vendor, business partner, advisor) that the target trusts.
Spear phishing attacks are more personalized than bulk phishing attacks and require more work and research. But the extra work can pay off for cybercriminals. For example, spear phishers stole more than USD 100 million from Facebook and Google between 2013 and 2015 by posing as legitimate vendors and tricking employees into paying fraudulent invoices.
A whale phishing or whaling attack is a spear phishing attack that is aimed exclusively at a high-level executive or official. The attacker typically impersonates a peer within the target’s organization, or an equal or higher-level colleague or associate from another organization.
Whale phishing messages are highly personalized. Attackers take great pains to impersonate the writing style of the actual sender and, when possible, reference context of ongoing actual business conversations. Whale phishing scammers will often spy on conversations between the sender and the target; many will try to hijack the sender’s actual email or text messaging account to send the attack message directly from there, for the ultimate in authenticity.
Because whaling attacks target individuals who can authorize larger payments, they offer the potential of a higher immediate payoff for the attacker.
Whaling is sometimes equated with business email compromise (BEC), another type of spear phishing attack in which the attacker sends the target a fraudulent email that appears to come from a coworker or colleague. BEC is not always whaling (because it frequently targets lower-level employees), and whaling is not always BEC (because it doesn't always involve email), but many of the most costly whaling attacks also involve BEC attacks. For example:
Phishing, spear phishing and whale phishing are all examples of social engineering attacks or attacks that primarily exploit human vulnerabilities rather than technical vulnerabilities to compromise security. Because they leave much less digital evidence than malware or hacking, these attacks can be much more difficult for security teams and cybersecurity professionals to detect or prevent.
Most whaling attacks aim to steal large sums of money from an organization by tricking a high-level official into making, authorizing or ordering a wire transfer to a fraudulent vendor or bank account. But whaling attacks can have other goals, including:
Again, most whale phishing attacks are motivated by greed. But they can also be motivated by a personal vendetta against an executive or a company, competitive pressures or social or political activism. Whaling attacks against high-ranking government officials can be acts of independent or state-sponsored cyberterrorism.
Cybercriminals choose a whale with access to their goal and a sender with access to their whale. For example, a cybercriminal who wants to intercept payments to a company’s supply chain partner might send the company’s CFO an invoice and request for payment from the supply chain partner’s CEO. An attacker wanting to steal employee data might pose as the CFO and request payroll information from the VP of human resources.
To make the senders’ messages credible and convincing, whaling scammers thoroughly research their targets and senders along with the organizations where they work.
Thanks to the amount of sharing and conversation people conduct on social media and elsewhere online, scammers can find much of the information they need just by searching social media sites or the web. For example, by simply studying a potential target’s LinkedIn profile, an attacker can learn the person’s job title, responsibilities, company email address, department name, names and titles of coworkers and business partners, recently attended events and business travel plans.
Depending on the target, mainstream, business and local media can provide additional information, such as rumored or completed deals, projects out for bid and projected building costs that scammers can use. Hackers can often craft a convincing spear phishing email with just some general Google searching.
But when preparing for a whale phishing attack, scammers will often take the important extra step of hacking the target and sender to gather additional material. This can be as simple as infecting the target’s and sender’s computers with spyware that enables the scammer to view file contents for additional research. More ambitious scammers will hack into the sender’s network and gain access to the sender’s email or text messaging accounts, where they can observe and insert themselves into actual conversations.
When it’s time to strike, the scammer will send the attack message(s). The most effective whale phishing messages appear to fit within context of an ongoing conversation, include detailed references to a specific project or deal, present a credible situation (a social engineering tactic called pretexting) and make an equally credible request. For example, an attacker masquerading as the company CEO might send this message to the CFO:
Per our conversation yesterday, attached is an invoice from the lawyers handling the BizCo acquisition. Please pay by 5 p.m. ET tomorrow as specified in the contract. Thanks.
In this example, the attached invoice may be a copy of an invoice from the law firm, modified to direct payment to the scammer’s bank account.
To appear authentic to the target, whaling messages may incorporate multiple social engineering tactics including:
Whale phishing attacks, like all phishing attacks, are among the most difficult cyberattacks to combat because they can’t always be identified by traditional (signature-based) cybersecurity tools. In many cases, the attacker only needs to get past "human" security defenses. Whale phishing attacks are especially challenging because their targeted nature and personalized content make them even more convincing to the target or observers.
Still, there are steps that organizations can take to help mitigate the impact of whale phishing, if not prevent these types of attacks altogether.
Security awareness training. Because whale phishing exploits human vulnerabilities, employee training is an important line of defense against these attacks. Anti-phishing training may include:
Multi-factor and adaptive authentication. Implementing multi-factor authentication (requiring one or more credentials in addition to a username and password) and/or adaptive authentication (requiring additional credentials when users log in from different devices or locations) can prevent hackers from gaining access to a user’s email account, even if they are able to steal the user’s email password.
Security software. No single security tool can prevent whale phishing altogether, but several tools can play a role in preventing whale phishing attacks or minimizing the damage that they cause:
Data breach costs have hit a new high. Get essential insights to help your security and IT teams better manage risk and limit potential losses.
Get key insights and practical strategies for securing your cloud with the latest threat intelligence.
Gain insights to prepare and respond to cyberattacks with greater speed and effectiveness with the IBM X-Force Threat Intelligence Index.
Threat management is a process of preventing cyberattacks, detecting threats and responding to security incidents.