What is Whaling?​ ​

Whaling Attack

Whaling, or whale phishing, is a common cyber attack that occurs when an attacker utilizes phishing methods against high-level executives such as the chief executive officer or the chief financial officer in order to steal sensitive information from a company or to lure the victim into making a wire transfer.

Cybercriminals may use social media to gather personal information about their victims to create emails and websites that are personalized, and often incorporate the target’s name, job title, or other relevant information.  This level of personalization makes it difficult to detect a whaling attack

While phishing targets non-specific individuals and may be in the form of a mass email to many people, whaling targets a specific person or only high-level executives.

Impacts of Whaling Attack

Monetary loss 

In a report by Phishlabs, 22% of all phishing emails analyzed in 2015 were motivated by financial fraud or other crimes. The FBI also reported that companies lost almost $215 million, in 2014, to phishing email scams, with whaling being one of the highest preferred methods. 

Data loss

Cybercriminals use whaling emails to gain access to sensitive information that could be used for ransom or a data leak. 

Reputation damage

Any data leak of personal information can easily damage a company’s reputation resulting in a loss of customers or revenue, especially in whaling cases, where the target is a high-ranking officer of the organization. 

Whaling Attack Examples & CEO Fraud

In 2016, an employee from Snapchat was deceived by an email that looked like the CEO had sent it. The employee disclosed all of the payroll information to the attacker.

An employee of  Scoular Company, a commodities firm located in Omaha, transferred $17.2 Million to a Chinese bank account. The perpetrators sent emails that made appeared to be from the company’s CEO.


How to Prevent Whaling Attacks

Whaling Awareness Training for Employees 

Learn how to identify and protect yourself from suspicious emails. A study found that the click rate reductions ranged between 26% and 99% after employees underwent a phishing awareness program. Whaling attacks show that the need for Security Awareness also goes up to the C-level suite.  

Implement Multiple-step Verification Processes 

Companies should incorporate systems that require multiple-step processes for transmitting crucial information and initiating wire transfers. This process helps to establish authenticity and may significantly reduce the chance of falling prey to fraudulent  emails.

Train Employees on Safe Social Media

Social media posts can help a cybercriminal gather relevant information to be used in a whaling attack. Educating employees about information that should not be disclosed on social media sites may prevent cybercriminals from using this information in a phishing attack.

Final Words

Protect your executives and safeguard your organization against whaling attacks with targeted security awareness training. Empower your team, from the C-suite down, with the knowledge to identify and deflect sophisticated phishing attempts. Choose our Security Awareness Training product for a robust defense against the costly consequences of data breaches, financial fraud, and reputational damage. Elevate your cybersecurity posture today.

Build cyber culture and learn how to avoid whaling attacks and other phishing scams today!