Whale fin

What is whaling?

Whaling is a variant of (spear) phishing that targets chief (‘c-level’) executives. Attackers use elaborately crafted emails in an attempt to persuade their victims to disclose valuable confidential data or authorize the transfer of large sums of money.

Myra Services on this topic: Block unwanted access and prevent malicious traffic with Myra Deep Bot Management


A definition of what whaling is

The term ‘whaling’ originates from world of cybercrime where highly influential people are referred to as ‘big fish.’ Thus, when whaling, hackers target c-level positions (CEO, CFO, and other high-level executives) with broad authority and access to highly confidential information. When hackers pose as c-level executives themselves, this is known as a CEO scam or Business Email Compromise (BEC). According to the FBI, in 2019 BEC caused $1.7 billion in financial damage in the U.S. alone.

Unlike standard phishing targeting a wide audience, and spear phishing employing fake messages and websites tailored to a small group of people, whaling uses more personalized and highly crafted emails and websites.

They often contain the victim’s name and position, as well as other personal details gathered from a variety of sources, in order to appear authentic in both form and content. This makes a whaling attack much harder to identify than a normal phishing attack.

Whaling is the pinnacle of phishing because it requires the most effort and often lengthy preparation, but also holds the highest and most lucrative prospects for success. Successful attackers stand to gain vast sums of money and valuable information (e.g., intellectual property, business processes, financial data, customer information, compromising emails), which they can then either sell or use for blackmail attempts.

Whale swims in the sea


How does a whaling attack work?

Phishing emails are among the most frequently perpetrated attacks on the internet. Like all forms of phishing, whaling also relies on social engineering, seen as the most common and most successful attack vector in companies: through targeted manipulation and influence, scammers seek to induce specific actions, such as the release of confidential data or financial transactions conducted in their favor.

To do this, attackers masquerade as a legitimate, known, and trusted contact, for example from inside a company or from partners, customers, banks, and government agencies. The professionally crafted and perfectly worded messages usually include deceptively authentic-looking signatures, contact details and company logos, or personal information for even greater credibility. Hackers must first gather information from social media accounts and publicly available company information.

In most cases, the criminals also mimic or forge the email address of the purported sender, for example, by tampering with the email header (email spoofing), inconspicuously swapping the order of adjacent letters, and using combinations of letters that look virtually identical (e.g., a capital ‘I’ as in India instead of a lower-case ‘l’ as in ‘light,’ or ‘rn’ instead of ‘m’). Sometimes hackers even set up their own email servers and register separate domains that closely resemble those of real companies or government agencies.

In seemingly normal communications criminals then dupe their victims into disclosing highly confidential information such as payroll, tax, or bank information, to click on a link to a website, which is then used to install malware or steal login credentials, or to initiate a financial transaction, for example. The goal is nearly always to steal money or information, or to gain access to corporate networks with the same intention.


What are some examples of whaling and CEO scams?

Whaling or CEO scams are very frequently employed in wire fraud. For example, in fake emails attackers masquerade as decision-makers of a business partner to the CEO, CFO or other employees and request urgent wire transfers, for example to pay for a delivery or to complete a planned company acquisition. If the victim complies with the request with no additional verification, the money ends up directly in the scammer’s account. The sums involved are often in the multi-million dollar range.

According to the FBI, between June 2016 and July 2019 financial losses caused by whaling, CEO scams, or BEC totaled more than $26 billion worldwide. From 2018 to 2019 alone, they increased by 100 percent.

As the following examples show, every industry and companies of any size may become the victim of whaling attacks:

  • According to media reports, Crelan Bank in Belgium lost over €70 million in 2016 as a result of a CEO scam.

  • A similar case of fraud came to light in the same year at Austrian aircraft parts manufacturer FACC, which ended up costing the company €44 million and then the CFO and CEO their jobs.

  • A CEO scam at Snapchat also made headlines in 2016: a hacker masquerading as CEO Evan Spiegel emailed an HR employee and in his name requested salary statements be sent to him, which the employee promptly complied with.

  • Something similar happened the same year at storage specialist Seagate: the HR department received an email purportedly from company CEO Stephen Luczo requesting copies of tax forms with Social Security numbers, salaries, and other personal data. The department complied with the request and sent confidential information on thousands of employees directly to the scammers.


How can companies protect themselves from whaling attacks?

Technical defense measures

Technical measures are only of limited suitability for warding off social engineering attacks such as whaling. Methods such as SPF, DKIM, and DMARC (Sender Policy Framework, DomainKeys Identified Mail, and Domain-based Message Authentication, Reporting and Conformance), email encryption or the automatic flagging of external emails in the inbox can help to identify forged sender addresses, but scam artists are always able to find a way around technical protection measures.

Awareness training

A lack of awareness is the most frequently exploited factor in social engineering attacks. If you want to effectively protect your company against whaling and other phishing variants, you must ensure that your management and employees receive awareness training. They should develop a healthy level of distrust and carefully check email senders to identify scam emails as such in good time. To raise awareness among top management, the IT department can also conduct simulated whaling attacks.

Multi-factor authentication

Especially for requests regarding confidential data or financial transactions, it is advisable to establish a multi-factor authentication process and codes of conduct. In case of doubt, employees should, for example, check by telephone to have instructions received by email confirmed by the purported sender.

Be careful what you disclose on social media

Both management and employees should be careful about the scope and extent of information they publish on social media channels. This is because content posted there is often used by scam artists as the basis for whaling and phishing attacks.

Laptop and cell phone lying side by side


What you need to know about whaling

Whaling and CEO scams are types of social engineering attacks that aim to deceive or pose as c-level executives. Cybercriminals thus seek to persuade victims to transfer sums of money or disclose valuable data records. Technical defenses alone do not provide sufficient protection against such attacks because the human factor plays a key role here. If, for example, a phishing email is opened without forethought or a link to a malicious website is unsuspectingly clicked on, it may already be too late. Companies should take this into account as part of a comprehensive cybersecurity strategy and introduce not only technical but also organizational prevention measures such as awareness training. To address all relevant problems, the security-by-design approach treats hardware, software, and users as equals. Only when you take account of cybersecurity in all stages of digital business processes will you be able to keep the virtual attack surface as small as possible.