article featured image


Whaling phishing is a method used by cybercriminals that aim to obtain sensitive information about a target, steal money, or access their computer systems for malicious purposes. 

Whaling is a type of phishing attack that targets high-profile, well-known, and wealthy individuals – CEOs, top-level executives, even celebrities, hence the name “whaling.” Fraudsters and cybercriminals can use the phished information to extort their victims or deceive them into providing even more confidential or personal data.

In other words, whaling represents a form of Business Email Compromise (BEC), a type of social engineering attack in which malicious players pretend to be the CEO of the company you work in or another authority figure and ask you to send money or give them access to sensitive information. 

How Does a Whaling Phishing Attack Work?

The basic step in a whale phishing attack is research. Attackers will try to use every resource they have to find out more about the people they want to impersonate and their work environment. They will check social network profiles in order to gain insights that might be later used in an email in order to seem trustworthy. 

The email address they would use would also seem authentic, and the message might include corporate logos and links to a fraudulent website that has been created to look legitimate. The emails would sound urgent, usually asking people to reply with certain information, open an attachment, pay an invoice or enter personal information on a fake website. 

The information gathered by the attackers might be used to enter the company’s network, steal data or install software on your devices that allow them to maintain access to your network and monitor communications. 

Whaling Attack Tactics

Whaling emails from “colleagues”

This is the most basic whaling tactic – the malicious actors try to trick company employees by using a compromised email address or a spoofed one to convince them that a colleague has a legitimate request for them. The tactic proves particularly efficient when it involves an email from a senior executive sent to a junior member of the team. 

Social media whaling

Online social networking is already used for developing business contacts or recruiting employees and, for a few years, it has become one of the hackers’ playgrounds. Social networks are a true goldmine of information for social engineering, but also a place where people tend to be less vigilant. 

Whaling emails + confirmation phone call

This is a particularly dangerous whaling phishing tactic because it borrows elements from other types of cyberattacks – supply chain and vishing. Hackers can use accessible information from your partners or suppliers to create incredibly credible emails. Afterward, hackers will give their targets a phone call to confirm the request. This would make the possible victim forget that this might be a fake email since they also had a “real world” interaction with the sender of the message. 

Whaling Attack Examples

The Snapchat case

A few years ago, the Snapchat HR staff received an email from “chief executive Even Spiegel”, who appeared to “request” payroll information about some current and former employees. As you expect, someone answered him and sent the requested information. A few hours after the incident, they confirmed that the attack was an isolated one and reported it to the FBI. After discovering who were the affected employees, they offered them two years of free identity-theft insurance and monitoring. 

The Seagate case

In March 2016, Seagate also dealt with leakage of former and current employees records – about 10.000. This huge number led to a lawsuit of malpractice. Other accusations included lack of surveillance and poor handling of sensitive data. The scenario was identical to the Snapchat case. The information that got in the wrong hands included “Social Security numbers, tax paid, salary information, and other data that put the legitimate owners at risk of identity fraud.” 

Consequences of Whaling Attacks

Financial loss

This one is obvious – if employees take the bait, they might send significant amounts of money to cybercriminals, but you should probably also add to that fines for data breaches and potential customers loss. 

Data loss

Since cybercriminals are also trying to obtain data from a whaling attack, sending sensitive information to them equals data breach – which equals huge fines, due to GDPR regulations


Dealing with the consequences of such an attack is not easy: the company will shift its focus from making progress to notify customers and other relevant people about data breaches, take security measures to make sure it won’t happen again, try to recover any lost funds. 

Brand damage

Obviously, no company would enjoy the same level of trust from customers and partners if an employee fell for impersonation fraud, especially if the result was a data breach. All sorts of future opportunities could be lost because of whaling. 

How to Prevent a Whaling Phishing Attack

As you can probably now understand, the implications of a whaling phishing attack are very serious. Since no one would want to interrupt their daily tasks and evolution for dealing with whaling consequences, here’s what you can do to avoid one in the first place and keep your company safe: 

Educate employees on the dangers of cyberattacks

Every employee should know what all the attacks mentioned in this guide mean: social engineering, phishing, spear phishing, what is whaling, business email compromise / CEO fraud. They should be able to recognize their signs or at least have a preventive and suspicious mindset when it comes to online communication. 

Advice employees to pay attention to how they use social media

As we have seen, social media is a goldmine of information for cybercriminals. It would be best to keep all your profiles private, enable multi-factor authentication and verify every friend request that you receive. You can find more indications here

Flag external emails

Spotting potential whaling messages might be easier if you flag all the emails sent from outside of the company’s network. This is correlated to the next suggestion – establishing a verification process. 

Establish a verification process

One way of making sure your company won’t fall for a whaling attack is to tell everyone to double-check any email that seems suspicious. If it’s from within the business, there should be no hesitation to call the sender or even talk to him face to face. 

Make sure you have an incident response plan

In order to mitigate the consequences of a cyberattack, companies should have “a maintained plan, concrete roles, and responsibilities, lines of communication, and established response procedures. These are the necessary stepping stones that would allow it to appropriately address the bulk of incidents it would likely see.” 

Ensure the appropriate security measures

The most important solutions you should have as part of your security strategy are an antivirus, a firewall, and email security software.

How Can Heimdal™ Help?

Heimdal Email Security can stop malware, stop malicious links, prevent phishing, prevent ransomware by offering server-based email protection: this means it scans the emails before they get to your device and before they ever reach your inbox. Everything happens in the cloud, at the server level. The solution is particularly useful also because it can help you prevent spreading spam from inside your network to other users, but if you also want to spot CEO fraud and prevent any whaling attack, Heimdal Email Fraud Prevention should be your best friend. 

Heimdal Email Fraud Prevention is the ultimate email protection against financial email fraud, C-level executive impersonation, phishing, insider threat attacks, and complex email malware. How does it work? By using over 125 vectors of analysis and being fully supported by threat intelligence, it detects phraseology changes, performs IBAN/Account number scanning, identifies modified attachments, malicious links, and Man-in-the-Email attacks. Furthermore, it integrates with O365 and any mail filtering solutions and includes live monitoring and alerting 24/7 by our specialists.

Heimdal Official Logo
Email is the most common attack vector used as an entry point into an organization’s systems.

Heimdal® Email Security

Is the next-level email protection solution which secures all your incoming and outgoing comunications.
  • Completely secure your infrastructure against email-delivered threats;
  • Deep content scanning for malicious attachments and links;
  • Block Phishing and man-in-the-email attacks;
  • Complete email-based reporting for compliance & auditing requirements;
Try it for FREE today 30-day Free Trial. Offer valid only for companies.

Wrapping Up 

Whaling is a dangerous email security threat, but also one that can be avoided by paying a little attention and having the right security solutions in place. 

Heimdal Security offers the latest in cybersecurity protection against advanced cyberattacks. Our security solutions are designed to work with your company’s needs and budget.

This article was originally published by Elena Georgescu in September 2021 and was updated by Antonia Din in March 2022.

Author Profile

Elena Georgescu

Communications & Social Media Coordinator | Heimdal®

linkedin icon

Elena Georgescu is a cybersecurity specialist within Heimdal™ and her main interests are mobile security, social engineering, and artificial intelligence. In her free time, she studies Psychology and Marketing. Some of her guest posts on other websites include: cybersecurity-magazine.com, cybersecuritymagazine.com, techpatio.com

Leave a Reply

Your email address will not be published. Required fields are marked *