A whaling attack is a type of phishing attack that targets high-level executives, such as the CEO or CFO, to steal sensitive information from a company. This could include financial information or employees' personal information

The reason whaling attacks target high-ranking employees is because they hold power in companies and often have complete access to sensitive data

The term "whaling" stems from the large size of the potential payoff for the phishing scam, as the "whales" are carefully chosen because of their influence, authority, and access within the company. 

In some cases, scammers may pose as the CEO or other corporate officers to manipulate victims into authorizing high-value wire transfers to offshore bank accounts or to go to spoofed websites that install malware.

Why are Whaling Attacks Successful?

Whaling attacks, like spear phishing attacks, are more difficult to detect than typical phishing attacks as they are highly personalized and only sent to select targets in an organization. 

While unsophisticated whale phishing relies solely on social engineering to trick targets, the majority of cybercriminals using whaling attacks tend to invest heavily in the attack to make it seem as legitimate as possible, due to potentially high returns. 

This could include gathering information from public social media profiles such as Facebook, Twitter and LinkedIn, engaging with the organization via email to understand how the company structures email addresses and email signatures, and gathering general company information like job titles, names of colleagues, third-party vendors and any details exposed in previous data breaches.

Additionally, if the target organization does not have adequate email security, the attacker can employ email spoofing to make their emails appear to come from a trusted source within the organization, making it even harder to detect the attack.

Even if the target organization has adequate email security, attackers can exploit a third-party vendor's lack of cybersecurity and launch the cyber attack via the vendor's domain or buy a similar typosquatted domain name. 

How Do Whaling Attacks Work?

The goal of a whaling attack is to trick the victim into disclosing personal information, company information or to install different types of malware, like ransomware, by using social engineering, email spoofing, and content spoofing efforts. 

For example, the attacker may send the victim a spoofed email that appears to be from a trusted source, such as a senior executive or another member of senior management. More sophisticated attacks may take control of a colleague's email account or lead to a customized website that was created specifically for the attack. 

For example, an attacker may spoof the CTO's email address and send an email to a member of the accounts payable department requesting for a fake AWS bill to be paid by close of business. 

Another common target for whaling are company board members because they have a great deal of authority without being full-time employees and may even use a personal email rather than a corporate account. 

As whaling attacks depend on social engineering, attackers may send hyperlinks or attachments to infect victims or to solicit sensitive information and generally try to put time pressure on the victim. 

Read our guide on social engineering for more information.

What is the Difference Between Phishing, Spear Phishing, and Whaling?

Phishing, spear phishing, and whaling share many similarities, primarily all three involve impersonation to elicit information or money from a target.

That said, they have subtle differences security teams should be aware of. 

A typical phishing email takes a quantity over quality approach, sending thousands or even millions of emails to potential victims.

Spear phishing is more selective, targeting specific organizations or employees and requiring more time and effort on the part of the attacker. 

Finally, whaling is a specific type of spear phishing that targets high-ranking, high-value targets in a specific organization who has a high level of authority and access to critical company data. 

Whaling attacks can take weeks or months to prepare and as a result, can have a very high success rate.  

Examples of Whaling Attacks

In 2016, Snapchat fell victim to a whaling attack when a high-ranking employee fell for a CEO fraud email and revealed employee payroll information. Snapchat reported the incident to the FBI and offered their employees two years of free identity theft insurance. 

Another well-known whaling attack involved a Seagate executive who accidentally exposed the W-2 forms for all current and former employees. This data breach resulted in the exposure of nearly 10,000 current and former Seagate employees' income tax data, leaving them open to income tax refund fraud and identity theft. 

The most dramatic example is the 2016 removal of FACC CEO, Walter Stephan, who fell for a whaling attack that led to the finance department wiring $56 million to fraudsters.

How to Prevent Whaling Attacks

While you can't prevent yourself or your company's executives from being targeted in whaling attacks, there are steps you can take to reduce the likelihood these attacks will be successful. 

These are the anti-phishing controls we suggest:

How UpGuard Helps Prevent Whaling Attacks

UpGuard Vendor Risk can minimize the amount of time your organization spends assessing related and third-party information security controls by automating vendor questionnaires and providing vendor questionnaire templates. We can help you continuously monitor your vendors' external security controls and provide an unbiased security rating.

For the assessment of your information security controls, UpGuard BreachSight can monitor your organization for 70+ security controls providing a simple, easy-to-understand cyber security rating and automatically detect leaked credentials and data exposures in S3 buckets, Rsync servers, GitHub repos and more.

We base our ratings on the analysis of 70+ vectors including:

Ready to see
UpGuard in action?