What is whale phishing?

Whale phishing targets include C-level executives (CEOs, CFOs, COOs), other senior executives, political office holders and organizational leaders who can authorize large payments or wire transfers or the release of sensitive information without approval from others. These targets are referred to as whales after the slang term for customers (or gamblers) who have access to more money than the average person.

It’s important to understand how phishing, spear phishing and whale phishing are related, primarily because the terms are often used interchangeably, incorrectly or without context.

Phishing is any fraudulent email, text message or phone call designed to trick users into downloading malware (through a malicious link or file attachment), sharing sensitive information, sending money to criminals or taking other actions that expose themselves or their organizations to cybercrime.

Anyone with a computer or smartphone has probably received a bulk phishing attack, which is basically a form message that appears to be from a well-known business or organization, describes a common or credible situation and demands urgent action, such as Your credit card has been declined. Please click the link below to update your payment information. Recipients who click the link are taken to a malicious website that might steal their credit card number or download malware to their computers.

A bulk phishing campaign is a numbers game. Attackers send messages to as many people as possible, knowing that some percentage will be tricked into taking the bait. One study detected over 255 million phishing messages during a six-month period in 2022. According to IBM’s Cost of a Data Breach 2024 report, phishing was the second most common cause of data breaches in 2024 and the most common method for delivering ransomware to victims.

Spear phishing is a phishing attack that targets a specific individual or group of individuals within an organization. Spear phishing attacks are typically launched against mid-level managers who can authorize payments or data transfers, including accounts payable managers and human resources directors, by an attacker masquerading as a coworker with authority over the target, or as a colleague (vendor, business partner, advisor) that the target trusts.

Spear phishing attacks are more personalized than bulk phishing attacks and require more work and research. But the extra work can pay off for cybercriminals. For example, spear phishers stole more than USD 100 million from Facebook and Google between 2013 and 2015 by posing as legitimate vendors and tricking employees into paying fraudulent invoices.

A whale phishing or whaling attack is a spear phishing attack that is aimed exclusively at a high-level executive or official. The attacker typically impersonates a peer within the target’s organization, or an equal or higher-level colleague or associate from another organization.

Whale phishing messages are highly personalized. Attackers take great pains to impersonate the writing style of the actual sender and, when possible, reference context of ongoing actual business conversations. Whale phishing scammers will often spy on conversations between the sender and the target; many will try to hijack the sender’s actual email or text messaging account to send the attack message directly from there, for the ultimate in authenticity.

Because whaling attacks target individuals who can authorize larger payments, they offer the potential of a higher immediate payoff for the attacker.

Whaling is sometimes equated with business email compromise (BEC), another type of spear phishing attack in which the attacker sends the target a fraudulent email that appears to come from a coworker or colleague. BEC is not always whaling (because it frequently targets lower-level employees), and whaling is not always BEC (because it doesn't always involve email), but many of the most costly whaling attacks also involve BEC attacks. For example:

• In 2015, Ubiquity Networks lost nearly USD 47 million in just 17 days when whale phishing attackers impersonating the company’s CEO and Chief Counsel sent emails convincing the Chief Accounting Officer to make a series of wire transfers to finance a secret acquisition.
  
  
• In 2018, Pathe Film Group lost EUR 19.2 million (USD 21 million) when scammers pretending to be the CEO at Pathe’s headquarters in France emailed the CEO of Pathe’s Netherlands office, requesting wire transfers to fund an acquisition.
  
  
• Also in 2018, attackers impersonating the CEO, senior executives and legal counsel of the Italian firm Tecnimont SpA tricked the leader of the company’s Indian business unit into transferring INR 1.3 billion (USD 18.25 million) to a bank in Hong Kong, also ostensibly to fund an acquisition. As part of this scam, attackers took the extra step of staging several fake conference calls to discuss the details of the "acquisition."

Phishing, spear phishing and whale phishing are all examples of social engineering attacks or attacks that primarily exploit human vulnerabilities rather than technical vulnerabilities to compromise security. Because they leave much less digital evidence than malware or hacking, these attacks can be much more difficult for security teams and cybersecurity professionals to detect or prevent.

Most whaling attacks aim to steal large sums of money from an organization by tricking a high-level official into making, authorizing or ordering a wire transfer to a fraudulent vendor or bank account. But whaling attacks can have other goals, including:

• Stealing sensitive data or confidential information. This can include theft of personal data, such as employee payroll information or customers’ personal financial data. Whale phishing scams can also target intellectual property, trade secrets and other sensitive information.
  
  
• Stealing user credentials. Some cybercriminals will launch a preliminary whale phishing attack to steal email credentials so they can start a subsequent whale phishing attack from a hijacked email account. Others use the credentials to gain high-level access to assets or data on the target’s network.
  
  
• Planting malware. A relatively small portion of whale phishing attacks try to trick targets into spreading ransomware or other malware by opening a malicious file attachment or visiting a malicious website.

Again, most whale phishing attacks are motivated by greed. But they can also be motivated by a personal vendetta against an executive or a company, competitive pressures or social or political activism. Whaling attacks against high-ranking government officials can be acts of independent or state-sponsored cyberterrorism.

Cybercriminals choose a whale with access to their goal and a sender with access to their whale. For example, a cybercriminal who wants to intercept payments to a company’s supply chain partner might send the company’s CFO an invoice and request for payment from the supply chain partner’s CEO. An attacker wanting to steal employee data might pose as the CFO and request payroll information from the VP of human resources.

To make the senders’ messages credible and convincing, whaling scammers thoroughly research their targets and senders along with the organizations where they work.

Thanks to the amount of sharing and conversation people conduct on social media and elsewhere online, scammers can find much of the information they need just by searching social media sites or the web. For example, by simply studying a potential target’s LinkedIn profile, an attacker can learn the person’s job title, responsibilities, company email address, department name, names and titles of coworkers and business partners, recently attended events and business travel plans.

Depending on the target, mainstream, business and local media can provide additional information, such as rumored or completed deals, projects out for bid and projected building costs that scammers can use. Hackers can often craft a convincing spear phishing email with just some general Google searching.

But when preparing for a whale phishing attack, scammers will often take the important extra step of hacking the target and sender to gather additional material. This can be as simple as infecting the target’s and sender’s computers with spyware that enables the scammer to view file contents for additional research. More ambitious scammers will hack into the sender’s network and gain access to the sender’s email or text messaging accounts, where they can observe and insert themselves into actual conversations.

When it’s time to strike, the scammer will send the attack message(s). The most effective whale phishing messages appear to fit within context of an ongoing conversation, include detailed references to a specific project or deal, present a credible situation (a social engineering tactic called pretexting) and make an equally credible request. For example, an attacker masquerading as the company CEO might send this message to the CFO:

Per our conversation yesterday, attached is an invoice from the lawyers handling the BizCo acquisition. Please pay by 5 p.m. ET tomorrow as specified in the contract. Thanks.

In this example, the attached invoice may be a copy of an invoice from the law firm, modified to direct payment to the scammer’s bank account.

To appear authentic to the target, whaling messages may incorporate multiple social engineering tactics including:

• Spoofed email domains. If attackers can’t hack into the sender’s email account, they’ll create look-alike email domains (bill.smith@cornpany.com for bill.smith@company.com). Whaling emails may also contain copied email signatures, privacy statements and other visual cues that make them appear authentic at a glance.
  
  
• A sense of urgency. Time pressure—references to critical deadlines or late fees—can drive the target to act faster without careful consideration of the request.
  
  
• Insistence on confidentiality. Whaling messages often contain instructions such as please keep this to yourself for now to keep the target from going to others who might question the request.
  
  
• Voice phishing (vishing) backup. Increasingly, phishing messages include phone numbers the target can call for confirmation. Some scammers follow up phishing emails with voice mail messages that use an artificial intelligence-based impersonation of the alleged sender’s voice.

Whale phishing attacks, like all phishing attacks, are among the most difficult cyberattacks to combat because they can’t always be identified by traditional (signature-based) cybersecurity tools. In many cases, the attacker only needs to get past "human" security defenses. Whale phishing attacks are especially challenging because their targeted nature and personalized content make them even more convincing to the target or observers.

Still, there are steps that organizations can take to help mitigate the impact of whale phishing, if not prevent these types of attacks altogether.

Security awareness training. Because whale phishing exploits human vulnerabilities, employee training is an important line of defense against these attacks. Anti-phishing training may include:

• Teaching employees techniques for recognizing suspicious emails (checking email sender names for fraudulent domain names)
  
  
• Tips to avoid "oversharing" on social networking sites
  
  
• Stressing secure working habits, such as never opening unsolicited attachments, confirming unusual payment requests through a second channel, phoning vendors to confirm invoices and navigating directly to websites instead of clicking links within emails
  
  
• Whale phishing simulations where executives can apply what they learn

Multi-factor and adaptive authentication. Implementing multi-factor authentication (requiring one or more credentials in addition to a username and password) and/or adaptive authentication (requiring additional credentials when users log in from different devices or locations) can prevent hackers from gaining access to a user’s email account, even if they are able to steal the user’s email password.

Security software. No single security tool can prevent whale phishing altogether, but several tools can play a role in preventing whale phishing attacks or minimizing the damage that they cause:

• Some email security tools, including AI-based anti-phishing software, spam filters and secure email gateways, can help detect and divert whaling emails.
  
  
• Antivirus software can help neutralize the spyware or malware attackers might use to hack into target networks to conduct research, eavesdrop on conversations or take control of email accounts. It can also help neutralize ransomware or malware infections that are caused by whale phishing.
  
  
• System and software patches can close technical vulnerabilities that are commonly exploited by spear phishers.
  
  
• Secure web gateways and other web filtering tools can block the malicious websites that are linked to in whale phishing emails.
  
  
• Enterprise security solutions can help security teams and security operations centers (SOCs) detect and intercept malicious traffic and network activity that is tied to whale phishing attacks. These solutions include (but are not limited to) security orchestration, automation and response (SOAR), security incident and event management (SIEM), endpoint detection and response (EDR), network detection and response (NDR), and extended detection and response (XDR).