What is whale phishing?
Explore IBM's whale phishing solution Subscribe to Security Topic Updates
Illustration showing collage of cloud, fingerprint and mobile phone pictograms
What is whale phishing?

Whale phishing, or whaling, is a type of phishing attack that targets high-level corporate officers with fraudulent emails, text messages or phone calls. The messages are carefully written to manipulate the recipient into divulging sensitive corporate data and personal information or authorizing large payments to cybercriminals.

Whale phishing targets include C-level executives (CEOs, CFOs, COOs), other senior executives, political office holders and organizational leaders who can authorize large payments or wire transfers or the release of sensitive information without approval from others. These targets are referred to as whales after the slang term for customers (or gamblers) who have access to more money than the average person.

Cost of a Data Breach

Get insights to better manage the risk of a data breach with the latest Cost of a Data Breach report.

Related content

Register for the X-Force Threat Intelligence Index

Whale phishing versus phishing and spear phishing

It’s important to understand how phishing, spear phishing and whale phishing are related, primarily because the terms are often used interchangeably, incorrectly or without context.

Phishing

Phishing is any fraudulent email, text message or phone call designed to trick users into downloading malware (through a malicious link or file attachment), sharing sensitive information, sending money to criminals or taking other actions that expose themselves or their organizations to cybercrime.

Anyone with a computer or smartphone has probably received a bulk phishing attack, which is basically a form message that appears to be from a well-known business or organization, describes a common or credible situation and demands urgent action, such as Your credit card has been declined. Please click the link below to update your payment information. Recipients who click the link are taken to a malicious website that might steal their credit card number or download malware to their computers.

A bulk phishing campaign is a numbers game. Attackers send messages to as many people as possible, knowing that some percentage will be tricked into taking the bait. One study detected over 255 million phishing messages during a six-month period in 2022. According to IBM’s Cost of a Data Breach 2022 report, phishing was the second most common cause of data breaches in 2022 and the most common method for delivering ransomware to victims.

Spear phishing: Targeted phishing attacks

Spear phishing is a phishing attack that targets a specific individual or group of individuals within an organization. Spear phishing attacks are typically launched against mid-level managers who can authorize payments or data transfers, including accounts payable managers and human resources directors, by an attacker masquerading as a coworker with authority over the target, or as a colleague (vendor, business partner, advisor) that the target trusts.

Spear phishing attacks are more personalized than bulk phishing attacks and require more work and research. But the extra work can pay off for cybercriminals. For example, spear phishers stole more than USD 100 million from Facebook and Google between 2013 and 2015 by posing as legitimate vendors and tricking employees into paying fraudulent invoices.

Whale phishing: Spear phishing for the highest-value targets

A whale phishing or whaling attack is a spear phishing attack that is aimed exclusively at a high-level executive or official. The attacker typically impersonates a peer within the target’s organization, or an equal or higher-level colleague or associate from another organization.

Whale phishing messages are highly personalized. Attackers take great pains to impersonate the writing style of the actual sender and, when possible, reference context of ongoing actual business conversations. Whale phishing scammers will often spy on conversations between the sender and the target; many will try to hijack the sender’s actual email or text messaging account to send the attack message directly from there, for the ultimate in authenticity.

Because whaling attacks target individuals who can authorize larger payments, they offer the potential of a higher immediate payoff for the attacker.

Whaling is sometimes equated with business email compromise (BEC), another type of spear phishing attack in which the attacker sends the target a fraudulent email that appears to come from a coworker or colleague. BEC is not always whaling (because it frequently targets lower-level employees), and whaling is not always BEC (because it doesn't always involve email), but many of the most costly whaling attacks also involve BEC attacks. For example:

Phishing, spear phishing and whale phishing are all examples of social engineering attacks or attacks that primarily exploit human vulnerabilities rather than technical vulnerabilities to compromise security. Because they leave much less digital evidence than malware or hacking, these attacks can be much more difficult for security teams and cybersecurity professionals to detect or prevent.

How whaling attacks work
Setting the goal

Most whaling attacks aim to steal large sums of money from an organization by tricking a high-level official into making, authorizing or ordering a wire transfer to a fraudulent vendor or bank account. But whaling attacks can have other goals, including:

  • Stealing sensitive data or confidential information. This can include theft of personal data, such as employee payroll information or customers’ personal financial data. Whale phishing scams can also target intellectual property, trade secrets and other sensitive information.

  • Stealing user credentials. Some cybercriminals will launch a preliminary whale phishing attack to steal email credentials so they can start a subsequent whale phishing attack from a hijacked email account. Others use the credentials to gain high-level access to assets or data on the target’s network.

  • Planting malware. A relatively small portion of whale phishing attacks try to trick targets into spreading ransomware or other malware by opening a malicious file attachment or visiting a malicious website.

Again, most whale phishing attacks are motivated by greed. But they can also be motivated by a personal vendetta against an executive or a company, competitive pressures or social or political activism. Whaling attacks against high-ranking government officials can be acts of independent or state-sponsored cyberterrorism.

Choosing and researching the target and the sender

Cybercriminals choose a whale with access to their goal and a sender with access to their whale. For example, a cybercriminal who wants to intercept payments to a company’s supply chain partner might send the company’s CFO an invoice and request for payment from the supply chain partner’s CEO. An attacker wanting to steal employee data might pose as the CFO and request payroll information from the VP of human resources.

To make the senders’ messages credible and convincing, whaling scammers thoroughly research their targets and senders along with the organizations where they work.

Thanks to the amount of sharing and conversation people conduct on social media and elsewhere online, scammers can find much of the information they need just by searching social media sites or the web. For example, by simply studying a potential target’s LinkedIn profile, an attacker can learn the person’s job title, responsibilities, company email address, department name, names and titles of coworkers and business partners, recently attended events and business travel plans.

Depending on the target, mainstream, business and local media can provide additional information, such as rumored or completed deals, projects out for bid and projected building costs that scammers can use. According to a report from industry analyst Omdia, hackers can craft a convincing spear phishing email after about 100 minutes of general Google searching.

But when preparing for a whale phishing attack, scammers will often take the important extra step of hacking the target and sender to gather additional material. This can be as simple as infecting the target’s and sender’s computers with spyware that enables the scammer to view file contents for additional research. More ambitious scammers will hack into the sender’s network and gain access to the sender’s email or text messaging accounts, where they can observe and insert themselves into actual conversations.

Launching the attack

When it’s time to strike, the scammer will send the attack message(s). The most effective whale phishing messages appear to fit within context of an ongoing conversation, include detailed references to a specific project or deal, present a credible situation (a social engineering tactic called pretexting) and make an equally credible request. For example, an attacker masquerading as the company CEO might send this message to the CFO:

Per our conversation yesterday, attached is an invoice from the lawyers handling the BizCo acquisition. Please pay by 5 p.m. ET tomorrow as specified in the contract. Thanks.

In this example, the attached invoice may be a copy of an invoice from the law firm, modified to direct payment to the scammer’s bank account.

To appear authentic to the target, whaling messages may incorporate multiple social engineering tactics including:

  • Spoofed email domains. If attackers can’t hack into the sender’s email account, they’ll create look-alike email domains (bill.smith@cornpany.com for bill.smith@company.com). Whaling emails may also contain copied email signatures, privacy statements and other visual cues that make them appear authentic at a glance.

  • A sense of urgency. Time pressure—references to critical deadlines or late fees—can drive the target to act faster without careful consideration of the request.

  • Insistence on confidentiality. Whaling messages often contain instructions such as please keep this to yourself for now to keep the target from going to others who might question the request.

  • Voice phishing (vishing) backup. Increasingly, phishing messages include phone numbers the target can call for confirmation. Some scammers follow up phishing emails with voice mail messages that use an artificial intelligence-based impersonation of the alleged sender’s voice.
Protecting against whaling attacks

Whale phishing attacks, like all phishing attacks, are among the most difficult cyberattacks to combat because they can’t always be identified by traditional (signature-based) cybersecurity tools. In many cases, the attacker only needs to get past "human" security defenses. Whale phishing attacks are especially challenging because their targeted nature and personalized content make them even more convincing to the target or observers.

Still, there are steps that organizations can take to help mitigate the impact of whale phishing, if not prevent these types of attacks altogether.

Security awareness training. Because whale phishing exploits human vulnerabilities, employee training is an important line of defense against these attacks. Anti-phishing training may include:

  • Teaching employees techniques for recognizing suspicious emails (checking email sender names for fraudulent domain names)

  • Tips to avoid "oversharing" on social networking sites

  • Stressing secure working habits, such as never opening unsolicited attachments, confirming unusual payment requests through a second channel, phoning vendors to confirm invoices and navigating directly to websites instead of clicking links within emails

  • Whale phishing simulations where executives can apply what they learn

Multi-factor and adaptive authentication. Implementing multi-factor authentication (requiring one or more credentials in addition to a username and password) and/or adaptive authentication (requiring additional credentials when users log in from different devices or locations) can prevent hackers from gaining access to a user’s email account, even if they are able to steal the user’s email password.

Security software. No single security tool can prevent whale phishing altogether, but several tools can play a role in preventing whale phishing attacks or minimizing the damage that they cause:

  • Some email security tools, including AI-based anti-phishing software, spam filters and secure email gateways, can help detect and divert whaling emails.

  • Antivirus software can help neutralize the spyware or malware attackers might use to hack into target networks to conduct research, eavesdrop on conversations or take control of email accounts. It can also help neutralize ransomware or malware infections that are caused by whale phishing.

  • System and software patches can close technical vulnerabilities that are commonly exploited by spear phishers.

  • Secure web gateways and other web filtering tools can block the malicious websites that are linked to in whale phishing emails.

  • Enterprise security solutions can help security teams and security operations centers (SOCs) detect and intercept malicious traffic and network activity that is tied to whale phishing attacks. These solutions include (but are not limited to) security orchestration, automation and response (SOAR)security incident and event management (SIEM), endpoint detection and response (EDR), network detection and response (NDR), and extended detection and response (XDR).  
Related solutions
IBM Security® QRadar® SIEM

Catch advanced threats that others miss. QRadar SIEM leverages analytics and AI to monitor threat intel, network and user behavior anomalies and to prioritize where immediate attention and remediation are needed.

Explore QRadar SIEM solutions

IBM Security® Trusteer Rapport®

IBM Trusteer Rapport helps financial institutions detect and prevent malware infections and phishing attacks by protecting their retail and business customers.

Explore Trusteer Rapport

IBM Security QRadar EDR

Secure endpoints from cyberattacks, detect anomalous behavior and remediate in near real time with this sophisticated yet easy-to-use endpoint detection and response (EDR) solution.

Explore QRadar EDR

Resources Keep current on whaling

Read about the latest whale phishing trends and prevention techniques at Security Intelligence, the thought leadership blog hosted by IBM Security.

What is ransomware?

Ransomware is a form of malware that threatens to destroy or withhold the victim’s data or files unless a ransom is paid to the attacker to unencrypt and restore access to the data.

Cost of a Data Breach

Now in its 17th year, this report shares the latest insights into the expanding threat landscape and offers recommendations for saving time and limiting losses.

Take the next step

Cybersecurity threats are becoming more advanced, more persistent and are demanding more effort by security analysts to sift through countless alerts and incidents. IBM Security QRadar SIEM helps you remediate threats faster while maintaining your bottom line. QRadar SIEM prioritizes high-fidelity alerts to help you catch threats that others miss.

Explore QRadar SIEM Book a live demo