Dear reader, if you’re interested in finding out more about what is whaling, please take a seat and get a delicious cup of coffee or tea and read carefully, because this extended guide will provide you with information on several aspects of the matter: 

What Is a Whaling Phishing Attack 

Whaling is a type of phishing that aims to obtain sensitive information about a target. Whaling differs from phishing in that it targets high-profile, well-known, and wealthy individuals – CEOs, top-level executives, even celebrities. Fraudsters and cybercriminals can use the phished information to extort their victims or deceiving them into providing even more confidential or personal data.

In other words, whaling represents a form of business email compromise (BEC), a type of social engineering attack in which malicious players pretend to be the CEO of the company you work in or another authority figure and ask you to send money or give them access to sensitive information. 

How Does a Whaling Phishing Attack Work?

what is whaling - illustration


The basic step in a whaling attack is research – attackers will try to use every resource they have to find out more about the people they want to impersonate and their work environment. They will check social network profiles in order to gain insights that might be later used in an email in order to seem trustworthy. 

The email address they would use would also seem authentic, and the message might include corporate logos and links to a fraudulent website that has been created to look legitimate. The emails would sound urgent, usually asking people to reply with certain information, open an attachment, pay an invoice or enter personal information on a fake website. 

The information the attackers get might be used to enter the company’s network, steal data or install software on your devices that allow them to maintain access to your network and monitor communications. 

Whaling Attack Tactics

a. Whaling emails from “colleagues’

This is the most basic whaling tactic – the malicious actors try to trick company employees by using a compromised email address or a spoofed one to convince them that a colleague has a legitimate request for them. The tactic proves particularly efficient when it involves an email from a senior executive sent to a junior member of the team. 

b. Social media whaling

Online social networking is already used for developing business contacts or recruiting employees and, for a few years, it has become one of the hackers’ playgrounds. Social networks are a true goldmine of information for social engineering, but also a place where people tend to be less vigilant. 

c. Whaling emails + confirmation phone call 

This is a particularly dangerous whaling tactic, because it borrows elements from other types of cyberattacks – supply chain and vishing. Hackers can use accessible information from your partners or suppliers to construct incredibly credible emails. Afterwards, hackers will give their targets a phone call to confirm the request. This would make the possible victim forget that this might be a fake email since they also had a “real world” interaction with the sender of the message. 

Whaling Attack Examples

The Snapchat case 

A few years ago, the Snapchat HR staff received an email from “chief executive Even Spiegel”, who appeared to “request” payroll information about some current and former employees. As you expect, someone answered to him and sent the requested information. 

A few hours after the incident, they confirmed that the attack was an isolated one and reported it to the FBI. After discovering who were the affected employees, they offered them two years of free identity-theft insurance and monitoring. 

The Seagate case 

In March 2016 Seagate also dealt with a leakage of former and current employees records – about 10.000. This huge number led to a lawsuit of malpractice. Other accusations included lack of surveillance and poor handling of sensitive data. 

The scenario was identical to the Snapchat case. The information that got in the wrong hands included “Social Security numbers, tax paid, salary information, and other data that put the legitimate owners at risk of identity fraud.” 

Consequences of Whaling Attacks

Financial loss

This one is obvious – if employees take the bait, they might send significant amounts of money to cybercriminals, but you should probably also add to that fines for data breaches and potential customers loss. 

Data loss

Since cybercriminals are also trying to obtain data from a whaling attack, sending sensitive information to them equals data breach – which equals huge fines, due to GDPR regulations


Dealing with the consequences of such an attack is not easy: the company will shift its focus from making progress to notify customers and other relevant people about data breaches, take security measures to make sure it won’t happen again, try to recover any lost funds. 

Brand damage

Obviously, no company would enjoy the same level of trust from customers and partners if an employee fell for impersonation fraud, especially if the result was a data breach. All sorts of future opportunities could be lost because of whaling. 

How to Prevent a Whaling Attack

As you can probably now understand, the implications of a whaling attack are very serious. Since no one would want to interrupt their daily tasks and evolution for dealing with whaling consequences, here’s what you can do to avoid one in the first place and keep your company safe: 

Educate employees on the dangers of cyberattacks

Every employee should know what all the attacks mentioned in this guide mean: social engineering, phishing, spear phishing, what is whaling, business email compromise / CEO fraud. They should be able to recognize their signs or at least have a preventive and suspicious mindset when it comes to online communication. 

Advice employees to pay attention to how they use social media 

As we have seen, social media is a goldmine of information for cybercriminals. It would be best to keep all your profiles private, enable multi-factor authentication and verify every friend request that you receive. You can find more indications here

Flag external emails 

Spotting potential whaling messages might be easier if you flag all the emails sent from outside of the company’s network. This is correlated to the next suggestion – establishing a verification process. 

Establish a verification process 

One way of making sure your company won’t fall for a whaling attack is to tell everyone to double-check any email that seems suspicious. If it’s from within the business, there should be no hesitation to call the sender or even talk to him face to face. 

Ensure the appropriate security measures 

The most important solutions you should have as part of your security strategy are an antivirus, a firewall and an email security software. Heimdal Security can help you with all of them – you could try our Endpoint Detection and Response Software and our email security solutions: Heimdal Email Security and Heimdal Email Fraud Prevention.

Heimdal Official Logo
Simple standalone security solutions are no longer enough.


Is an innovative multi-layered security approach to organizational defense.
  • Next-gen Antivirus & Firewall which stops known threats;
  • DNS traffic filter which stops unknown threats;
  • Automatic patches for your software and apps with no interruptions;
  • Privileged Access Management and Application Control, all in one unified dashboard
Try it for FREE today Offer valid only for companies.

Heimdal Email Security can stop malware, stop malicious links, prevent phishing, prevent ransomware by offering server-based email protection: this means it scans the emails before they get to your device and before they ever reach your inbox. Everything happens in the cloud, at the server level. The solution is particularly useful also because it can help you prevent spreading spam from inside your network to other users, but if you also want to spot CEO fraud and prevent any whaling attack, Heimdal Email Fraud Prevention should be your best friend. 

Heimdal Official Logo
Email communications are the first entry point into an organization’s systems.

Heimdal™ Email Fraud Prevention

Is the next-level mail protection system which secures all your incoming and outgoing comunications.
  • Deep content scanning for attachments and links;
  • Phishing, spear phishing and man-in-the-email attacks;
  • Advanced spam filters to protect against sophisticated attacks;
  • Fraud prevention system against Business Email Compromise;
Try it for FREE today Offer valid only for companies.

By using  125 detection vectors to keep your email safe, Heimdal Email Fraud Prevention can detect CEO and financial mail fraud, spot Insider Business Email Compromise, discover imposter threats, but also advanced malware emails. Among the most important vectors of detection, we mention: phraseology changes, IBAN / account number scanning, attachment modification, link execution and scanning, man-in-the-email detection.

Make sure you have an incident response plan 

In order to mitigate the consequences of a cyberattack, companies should have “a maintained plan, concrete roles and responsibilities, lines of communication, and established response procedures. These are the necessary stepping stones that would allow it to appropriately address the bulk of incidents it would likely see.” 

Wrapping Up 

Whaling is a dangerous email security threat, but also one that can be avoided by paying a little attention and having the right security solutions in place. 

Heimdal Security offers the latest in cybersecurity protection against advanced cyberattacks. Our security solutions are designed to work with your company’s needs and budget.

Phishing attacks explained: How it works, Types, Prevention and Statistics

CEO Fraud Emails – Not Every Money Transfer Request You Receive is Legit

How to Report Email Fraud: Learn What to Do If It Happens to You

What Is Spear Phishing and How Do You Prevent It?

Online Criminal Impersonation 101: Our Own Case of CEO Fraud

Leave a Reply

Your email address will not be published. Required fields are marked *