Whale Phishing: Everything You Need to Know

Whale phishing is a form of spear phishing attack in which the attacker pursues a particularly high value target, such as a CEO or government system. Just as in a spear phishing attack, the whale phisher researches their target and sends a personalized email in an attempt to trick their target into giving up money or information.

Where whale phishing and spear phishing differ is the type of target involved. While a scammer may use spear phishing approaches on any kind of person, it turns into whale phishing when the target is high-value or a “whale.”

Whales can include anyone with power, prominence, or wealth. CEOs and other high-powered executives are the most common targets. However, anyone with substantial access to company assets, knowledge of proprietary data, or access to personal information can attract an attacker’s attention. For example, HR professionals commonly have access to personnel files containing sensitive data on employees, including names, birth dates, and Social Security numbers.

What Does a Whale Phishing Attacker Want?

Typically, attackers are after money or high-value assets. An attacker may attempt to convince you to give them access to sensitive data that can either be sold, held hostage, or used for identity theft. They might also try to get you to initiate wire transfers or pay fake invoices, or to convince other employees to do so on your behalf.

One prime example of a successful whaling attack happened in 2015. As reported by CBS News, Mattel, the company behind Hot Wheels and Barbie, was targeted. The target was asked to send a large payment to a supposed new vendor located in China. Since it appeared legitimate – with the attacker masquerading as an executive within Mattel – $3 million was sent to the attacker via wire transfer.

Whale Phishing Example #1: Unpaid Invoice

If the attacker is trying to get money from the target, claiming that there is an unpaid invoice that needs to be paid immediately is a common approach. With particularly diligent fraudsters, the attacker may spend time learning about the companies the target does business with as a starting point.

After that, they may research that secondary business to learn the names of actual employees or see if the target has existing relationships that can be exploited. For example, if the target attended a conference and mentioned on social media that they spoke with an employee, they may reference that event.

Hi Mark,

It was a pleasure seeing you at the SAASCon last week.

I’m reaching out because of an unpaid invoice. The deadline is tomorrow and, if payment isn’t received, it’s going to trigger a substantial late fee.

Please click here to view the invoice. Can you please wire over the funds before COB today so that I can mark this as paid-in-full?


Jerry Truesdale, VP of Accounts
Acme Corp

With this message, the attacker is hoping that the target will click the link and initiate the payment or that the target will forward the link along to an employee in the accounting or finance department. It’s essentially a cash-grab, with the link ensuring that the money goes into an account chosen by the attacker.

Whale Phishing Example #2: Fake Tech Support

If the fraudster’s goal is to access a company system, then they may masquerade as a member of the tech support team. By doing so, they may be able to convince the target into handing over login credentials, allowing them to access the asset with the target’s credentials.

Like with the example above, a dedicated fraudster may go the extra mile, learning the company’s internal tech team’s names or, if the company uses cloud-based solutions managed by a third-party, a point-of-contact’s name.

Hi Marta,

We are updating our authentication procedures for our bill processing system. In order to keep the system secure, we are strengthening the password requirements. Everyone with access needs to update their password immediately to meet the new standards.

I’ve included a password reset link for your convenience. Once you click it, simply enter your current login details. Then, you’ll be prompted to create a new password that meets the new requirements.

If you have any questions, please reply to this email.

Thank you,

Connor Hughes
Acme Corp

Ultimately, the link in the message allows the hackers to capture the target’s real credentials. Then, they can use them to access company systems and assets.

How to Protect Yourself from Whale Phishing Attacks

Now that you understand how an attacker may attempt to convince a target to hand over user names and passwords or send over money, let’s take a look at how you can prevent them from getting what they want. While many of these tips are familiar to most, they are worth repeating.

Be Cautious About What You Share Online

When you publish personal information, you may be giving a whale phisher ammunition. While most business executives can’t fully disguise who they know, they can control the amount of detail they provide about those relationships.

For example, social media posts about social activities involving other executives at the company may give the attacker information they can use. They might pretend to be that colleague and then reference that event as a means of getting you to lower your guard.

Even if you set your account to “private,” you may still want to be cautious. Review your friends list regularly to ensure you genuinely know the people who can view your posts. Additionally, keep in mind that particularly dedicated attackers may first attempt to hack one of your “friends” accounts to gain access to what you post. By limiting what you share regardless of your privacy settings, you’re protecting yourself.

Embrace Password Management Best Practices

Often, the goal of a whale phishing attack is to secure your login credentials. It may be your user name and password for company systems, personal financial accounts, or anything in-between.

Make sure that you never share your password with anyone. If you receive an email with a link that prompts you to provide your login credentials, stop immediately. Question the legitimacy of the site and consider using another approach.

For example, if you get a suspicious password reset prompt for your financial account information, leave that site. Then, go straight to your bank’s website by typing in the URL or using your personal favorites list. You can also contact your bank by phone, using a phone number you trust, such as the one on the back of your debit or credit card or that’s listed in the “Contact Us” section of what you know is the genuine site.

Additionally, while it can be cumbersome, use strong, unique passwords for every account or system you access. If you use the same password in several locations, you are putting yourself at risk. Many attackers that secure login credentials for one system will try in on others. If your password is the same, they’ll gain access to more than just their initial target.

Always Examine Links and Attachments Carefully

Even if an email initially seems to be legitimate, be suspicious about any links or attachments in the message. Sender lines can be misleading, so don’t trust them inherently.

With links, make sure to verify the URL. Sometimes, you can do this by simply hovering your cursor over the link. If that doesn’t work, right click the link. Then, paste it into a browser search bar. Don’t hit enter. Instead, you want to examine the URL closely. If you still aren’t sure, head to the company’s or asset’s URL directly.

For attachments, you should always scan them for viruses. However, even if it comes up clean, that doesn’t always mean it is safe. You may want to contact the sender directly, such as by calling the number listed for them in the company directory. That way, you can confirm it’s legitimate.

The Bottom Line

Ultimately, you are the best defense against whale phishing attacks. By being cautious – or even downright suspicious – you can stop attackers in their tracks.

About the Author

Find Michael on LinkedIn

Michael X. Heiligenstein

Michael X. Heiligenstein is the founder and editor-in-chief of the Firewall Times. He has six years of experience in online publishing and marketing. Before founding the Firewall Times, he was Vice President of SEO at Fit Small Business, a website devoted to helping small business owners. He graduated from the University of Virginia with a degree in English and History.