March 9, 2022
8 min read

What Is Whaling Attack & Whaling Phishing?

A whaling attack, also known as whaling phishing is a method used by cybercriminals to target high-value individuals and access their private information.

Ross K.
Security Expert
You might’ve heard about phishing, right? But did you know that there are different kinds of phishing? In this article, we want to highlight what is whaling, discuss whaling attacks and raise whaling cyber awareness for both private individuals with a large digital presence and businesses. Whaling attacks are known as targeted cyber-attacks. This means they are not intended to hit the masses, but rather specific key individuals (CEOs, mostly) who have access to information or assets that would be beneficial for hackers to obtain.

Whaling attacks – general overview

Whaling attacks as a trend, emerged almost a decade ago. Back then, the term used to describe them was broad and called “spear phishing.” As you can see, a lot of hacking tactic names are linked with fishing. Nowadays, spear fishing is just used to separate targeted phishing attacks from broad ones.
Whaling is what is known as phishing with a big catch. Whaling cyber-attack targets (e.g. whales) are not the usual masses of people but rather “high-value individuals” – decision-makers with access to information and/or assets which would be beneficial to threat actors. This can be a CEO, a high-ranking government officer or just anyone at a high position with access and/or possession of valuable information and resources.
Most whaling cyber-attacks involve high-level, very targeted and well-researched “phishing”. Once enough info is obtained, an unsolicited attempt by someone posing as a trustworthy entity – such as your bank, credit card company, government agency, or even popular sites, begins. The intent is to gain access to information that can be used for financial gain or destabilization. Scamming a middle-class person from the suburbs will never bring the same gain as scamming a large company CEO, for example, hence whaling phishing is a completely separate game.
While whaling cyber-attacks are sometimes referred to as just your everyday “phishing” this isn’t entirely true since whaling phishing involves targeting key individuals. Usually it’s done with immense background research, gathering insider info, preparing and doing it with utmost precision.

Whaling methodology

There are four key elements whaling attacks, also known as CEO fraud, have in common – targeting, timing, content, and methodology.


Targeting high-value individuals is the initial step of whaling. In order to reach success, you need to find an appropriate target. This person needs to be in control of access or with the power to influence decisions, have access to systems, etc. To be most successful, hackers usually target CEOs, CFOs and high-ranking executives as well as senior accounting staff.
Phishing is so common and widespread, more than half of IT decision makers want it to be their top priority.


Have you heard the phrase “Timing is everything”? Well it certainly applies here. If the hackers play their cards right and strike at the right time and pace their actions well, the chances for success increase greatly. Timing here refers to two different factors – general timing (on the calendar) and relative timing (current situation of the company).
For example, if hackers know that the CFO has fallen ill just before the Holidays and works remotely, they can create a scheme and precisely exploit the opportunity to lure out cash from the accounts just before Christmas Eve. Responsible personnel would take days to notice, giving enough time to launder the money through foreign bank accounts.


The whole essence of the whaling scam or you can even label this as the strategy. This is where research and aforementioned insider info come into play. Analyzing social media and other items on the company’s public agenda can show significant information that hackers can use for social engineering trickery and phishing. Each approach is likely to be unique with its own angles, niches, and exploitation points.
Usually, whaling revolves around email phishing, so scammers might like to focus on personal details and to quickly establish trust via communication. They might be able to easily spoof emails to chat with subordinates or even copy entire websites to gather information. For example, if your superior financial officer sends you an email from their address and writes:
“Can you login to our company bank accounts? Please check ASAP!” – a subordinate might not even hesitate to follow instructions.
Hence, the content is precise, straightforward.


Lastly, we have what is referred to as a “smooth scamming methodology,” in other words, fluid communication or social interaction between threat actors and what are considered high-value targets or individuals associated with them.
The scammer wants to prevent external involvement and limit communications to a minimum, keeping things under their direct control. If the target decides to consult with someone else, to get a second opinion or wait for a fixed date in the future, the scammer might become pushy and deny the necessity. This is the first flaw in their methodology – having very limited time to pull this off. If a subordinate employee senses fraud, they should not act above their pay grade. And CEOs, when targeted, should prevent doing something completely unplanned before consulting directly with corresponding officers.

Protection from and defense against whaling – raising cyber awareness

The most significant protection from and defense against whaling? To raise awareness. The concept of cyber awareness is typically associated with computer security, but that’s just one aspect of the entire picture. Raising cyber awareness in your company can significantly contribute to overall security and give you a competitive edge over unscrupulous competitors, who might try to use less-than-ethical approaches to gain what they are after.
To ensure successful protection against very focused whaling scamming, you need to raise awareness among all your employees – whether it is the CEO or a nightwatchman. Cyber awareness measures should be introduced in all work areas – from receptionists and clerks to high-ranking officers and technical support staff members.
Education and introduction to potential threats lead to the best possible results. As mentioned before, the most knowledgeable IT decision-makers are most concerned with the threat of phishing. It’s not the most clever tactic in terms of hacking solutions, but it exploits arguably the largest weakness in the company structure – people’s trust. If a hacker is able to social engineer their way and gains trust, the damage they can do is colossal.
The first step is to understand what your employees need to know about the dangers of whaling phishing attacks. Ensure 2FA and other possible digital security measures to prevent unfortunate and easily preventable damage.

Basic tips to prevent data theft and to stop phishing attacks

It’s not all doom and gloom; there are many things one can do to prevent data theft. Here are some basic tips to help you avoid whaling phishing attacks:

1. Do not rely solely on passwords – use 2FA, especially for financial transactions

The multi-factor authentication has proven to be one of the most effective tools in authenticating various operations and preventing fraudsters from taking advantage. One of the best ways to stop whaling dead in its tracks is to minimize reliance on knowledge of individuals (passcodes and passwords) and to add in factors such as possession (e.g. mobile phone, code generator, etc.) as well as biometric data.

2. Use long passwords that combine numbers, symbols, upper- and lowercase letters

They’re harder to remember but there are dedicated software solutions for password encryption and password protection. Some systems can be unlocked with passcodes that are always changing (similar to 2FA), but this minimal form of prevention can greatly obstruct the efforts of hackers.

3. Keep track of what is happening on your desktop, what data you are accessing, and from what websites it’s been downloaded from

There are various programs that can assist in monitoring what sites your organization’s IP is accessing and what information searches are made for.

4. Do not click any links in emails you did not expect to receive

Most whaling attacks are done via email, so what’s your best defense? First of all, do not click any links in emails you did not expect to receive, no matter what. Always report suspicious emails or ask about them in person or via secure comms channels, e.g. by calling the person in mind or writing to their intranet Skype account, etc.

5. Use firewalls and anti-spam filters on your email accounts

This one may seem obvious but it is among the most basic cyber hygiene measures that help keep lots of dangerous malware out of your system.


So, now you will know all there is to know about whaling at whaling attacks. This is a type of phishing attack wherein scammers aim their efforts against high-ranking individuals, such as top executives and managers. Hackers use various techniques to gather information on victims with the hope of fooling them into revealing private data or handing over access rights to highly confidential systems. It can create major damages to the company. Thus, businesses should raise awareness throughout their organization in order to better protect themselves.
More blog posts
April 10, 2023
8 min read
Proxy vs VPN: What Are the Differences?
VPNs have more features than a proxy, but they are more expensive. However, there are more pros and cons when choosing between a VPN or a Proxy.
Povilas M.
Security Expert
March 16, 2023
5 min read
What Is a Remote Wipe? Remotely Delete Your Phone
A remote wipe is a remote deletion of data from a device without having the device physically. Remote wipes can run on mobile phones, desktops, etc.
Ross K.
Security Expert
A security and IT company on a mission to make everyone’s privacy a default.
© 2022 Dragon Secure GmbH. Bahnhofstrasse 32, 6300, Zug, Switzerland