What is Whaling?

Whaling is a type of phishing attack that specifically targets high-level executives, such as a CEO or CFO, through fake emails or messages appearing to be from a trusted source. The attacker tries to trick the executive into revealing sensitive information or taking actions that could harm the company, such as authorizing a wire transfer or sending sensitive data. 

Whaling Explained

Whaling' is a type of spear phishing in which threat actors directly target c-level executives at an organization. This type of social engineering attack sends fraudulent messages to individuals with high levels of seniority to exploit three particular characteristics of these C-suite roles:

  1. High levels of information knowledge about the organization
  2. High levels of access to different systems, accounts, and sensitive data
  3. High levels of authority to perform secondary actions, such as transferring funds, without requiring approval

In taking advantage of these characteristics, successful perpetrators of whaling attacks often dupe senior executives into sending money to an account under their control, installing malware, or revealing confidential information. Since the word phishing originates from the use of email lures to "fish" for information from people, you can think of whaling as targeting high-ranking employees (“whales”) in an organization.

Whaling, CEO Fraud, and VIP Impersonation

Some sources use the terms Whaling and CEO fraud/VIP Impersonation interchangeably, but there are subtle differences to understand. CEO fraud is a type of phishing attack in which the attacker impersonates an organization’s CEO or perhaps another senior executive (CFO, CIO, etc.).

A CEO fraud email could directly target another senior executive, in which case it is a type of whaling attack, but it could equally be directed at a lower-level employee, such as someone working in the accounts department and not necessarily be considered whaling. So, not all CEO fraud attacks meet the definition of whaling attacks (and vice versa).

How Whaling Typically Happens

With the potential for striking a jackpot from a whaling attack, threat groups often pour considerable resources into each attack. A detailed reconnaissance phase involves combing through social media profiles of high-ranking executives and board members on platforms used for networking, such as LinkedIn and Twitter. Part of the preparation is to engage with the company via email to infer the structure of email addresses and email signatures for more credible fraudulent messages.

The next step is to decide whether to masquerade as someone within the organization, a third-party vendor, or a business partner. The extent of reconnaissance stretches to finding out about any charities, academic institutions, or associations the business partners to leverage the implicit trust in those relationships and impersonate someone within a partner organization.

In companies lacking strong email security, spoofing an email from within the organization using forged email headers might pay dividends for threat actors. Sending an email from within the company could also involve using stolen credentials to access an employee’s account.

If trying to target the C-level executive from outside the company, a routine tactic is to register typo-squatted domains that are easy to mistake for that of a trusted company or partner. These typo-squatted domains only slightly deviate from the genuine domain name, for example, by adding an underscore or removing a character.

The contents of the email eventually sent to the targeted individual are far more specific than seen in generic phishing campaigns. All information gleaned from reconnaissance is relevant for personalizing the message, conveying an understanding of business-specific tone and lexicon, and conveying a sense of urgency. Then, the executive either transfers money, clicks a dodgy link, or reveals something that should be kept secret.

Sometimes, threat actors pair whaling emails with phone calls to make the scenario seem more credible and corroborate their request, although if impersonating someone known to the target, a phone call is likely to raise flags. Many people holding C-suite positions work long hours and experience high levels of stress, which can make them more susceptible to being duped by a whaling attack.

Whaling Attack Examples

Levitas Capital

Levitas Capital, a Sydney-based hedge fund, lost out on over $8 million in 2020 when both company founders clicked an email link to a fake Zoom phone call. The link installed malware on their systems, which enabled threat actors to take control of key company email accounts and led to the eventual approval of $8.7 million in false invoices. In an example of the cascading impact of a serious cyber attack on a company’s reputation, this incident led to the cancellation of a $16 million investment and the fund had to shut down.


An incident targeting toy manufacturing company Mattel in 2016 serves as almost the perfect example of the sophisticated and targeted nature of whaling attacks. A Chinese cyber crime gang infiltrated Mattel’s network and conducted covert monitoring of internal procedures, protocols, corporate hierarchy, and other details over several weeks.

After Mattel appointed a new CEO, the gang launched into the whaling component of the attack by impersonating the CEO and targeting another high-ranking company executive. The email referred to an invoice payment due to be made to a Chinese supplier. The target didn’t think twice about the email’s trustworthiness and immediately transferred $3 million out of the company.

Defending Against Whaling

  • Security training and awareness — a true security-first culture reaches all levels of an organization with relevant training and awareness programs. These learning materials should inform the c-suite about the cyber threats they face, including whaling, instead of focusing only on educating junior employees.
  • Reinforce warnings — during times of high publicity, including company-sponsored events, remind executives about the threat of whaling attacks as their inboxes become inundated with even higher volumes of email than usual.
  • Limit information-sharing — there’s a tricky balance to strike with sharing information online because c-level executives want to be seen and heard championing the mission of the company they work for. It’s advisable to avoid referring to personal information in social media posts, such as birthdays, hobbies, holidays, and relationships because cunning cybercriminals use these details to craft more convincing whaling emails.
  • Advanced email security — an advanced email security solution can help prevent whaling through AI-powered detection of suspicious emails. Capabilities to look for include visual anomaly detection, sandboxing, and natural language processing engines to analyze email content.

IRONSCALES Fights Whaling for You

IRONSCALES’ self-learning platform uses machine learning to fight whaling and other targeted employee email attacks for you. NLP technology ensures protection against suspicious emails whether they come from sources inside or outside your domain. Warning banners alert about threats and make it quick and easy for C-suite to report suspicious emails and get on with their important tasks.

Beyond the automated and technology-based protections provided by IRONSCALES the platform directly integrates real-world phishing simulation testing and personalized security awareness training to educate employees on advanced identification and prevention best practices.

Learn more about IRONSCALES advanced anti-phishing platform here.

FREE Email Health Scan

Request an AI-powered email scan of your mailboxes and uncover lurking phishing threats.

Featured Content

Human & Machine

A core tenet at IRONSCALES is that phishing is a human + machine problem that can only be solved with a human + machine solution.

Vendor Spoofing

A researcher at IRONSCALES recently discovered thousands of business email credentials stored on multiple web servers used by attackers to host spoofed Microsoft Office 365 login pages.

The Cost of Phishing

Businesses are spending too much time and money on phishing. Discover how much in this survey report. 252 security professionals. 20 industries. 5 key takeaways.

Schedule a Demo

Request a demo to see what IRONSCALES AI-powered email security can do for you.