Whaling: how it works, and what your organisation can do about it

Created:  07 Oct 2016
Updated:  07 Oct 2016
Whaling phone call
A guide to 'whaling' - targeted phishing attacks aimed at senior executives.

Whaling is a highly targeted phishing attack - aimed at senior executives - masquerading as a legitimate email. Whaling is digitally enabled fraud through social engineering, designed to encourage victims to perform a secondary action, such as initiating a wire transfer of funds.

Whaling does not require extensive technical knowledge yet can deliver huge returns. As such, it is one of the biggest risks facing businesses. Financial institutions and payment services are the most targeted organisations, however cloud storage and file hosting sites, online services and e-commerce sites are receiving a larger share of attacks.

Whaling emails are more sophisticated than generic phishing emails as they often target chief ('c-level') executives and usually:

  • contain personalised information about the targeted organisation or individual
  • convey a sense of urgency
  • are crafted with a solid understanding of business language and tone


What are the consequences?

Whaling emails are a form of social engineering which aim to encourage their victim to take a secondary action such as:

  • clicking on a link to a site which delivers malware
  • requesting a transfer of funds to the attacker's bank account
  • requests for additional details about the business or individual in order to conduct further attacks

Financial loss

The 2016 Phishing Trends and Intelligence report by PhishLabs found that 22% of spear phishing attacks analysed in 2015 were motivated by financial fraud or related crimes. The table below illustrates five of the largest financial losses to organisations as a result of whaling emails. In these examples, a senior executive received a fraudulent email requesting a transfer of funds, from what appeared to be a trusted supplier, partner or member of the organisation.

Whaling: financial losses

Loss of data

Clicking on a link or downloading an attachment in an email can result in corporate networks becoming infected with malware. This can result in data breaches such as the loss of customer data or intellectual property theft.

Reputational damage

Financial or data loss through a whaling attack can be extremely embarrassing to both an organisation and an individual. FACC, an Austrian aerospace manufacturer that lost €50 million as a result of a targeted email attack in 2016, decided to fire several members of staff including the CEO, for their involvement in the incident.


Recent changes in common whaling tactics

Initially whaling emails were not much harder to identify than their less targeted phishing counterparts. However, the adoption of fluent business terminology, industry knowledge, personal references and spoofed email addresses have made sophisticated whaling emails difficult for even a cautious eye to identify. Highly targeted content is now combined with several other methods which executives should be aware of to reduce their chances of falling victim to a whaling attack. Crucially all these developments either exploit existing trusted relationships, or combine a cyber attack with non-cyber fraud tactics. 

Whaling email with a phone call

The NCSC is aware of several incidents whereby a whaling email was received and then followed-up with a phone call confirming the email request. This is a social engineering tactic which could be described as cyber enabled fraud. The phone call serves the dual purpose of corroborating the email request and making the victim complacent about a possible cyber attack as they have also had a 'real world' interaction. 

Whaling phone call


Whaling email from malicious actors masquerading as a trusted partner

The rise of supply chain attacks (where a supplier or partner organisation's network is compromised in order to gain access to the target organisation) has been well documented. However, recent whaling attacks have used easily accessible information on suppliers or partners to construct whaling emails which appear credible. If an organisation advertises partners such as charities, law firms, think tanks or academic institutions, they should be aware that they may receive emails from malicious actors masquerading as those trusted partners.

Whaling via partners


Whaling emails which appear to be from colleagues  

This is when an employee email address is either compromised (or a spoofed email address is used) to convince other employees that they are receiving a legitimate request from a colleague. This is especially effective when the email address of a very senior executive is spoofed to request an urgent payment to a junior member of (for example) a finance department.

Whaling via employees


Whaling through social media

Online social networking is an increasingly prevalent way of developing business contacts, recruiting employees and hosting discussions. However social media accounts, both professional and personal, provide a means for malicious actors to research and make contact with senior executives. They provide a goldmine of information for social engineering, and victims are often less vigilant to attack in a more social forum. According to Proof Point there was a 150% increase in social media phishing attacks in 2015.


Catching your white whale

It is crucial to remember that whaling is a means of social engineering, and malicious actors will use methods exploiting established trust structures, existing outside the cyber realm, to reassure the victim. Simply making your employees aware of social engineering threats doesn't make them invulnerable; some attacks are too well crafted and no amount of user awareness and training can guarantee their detection. Employee and executive training on social engineering tactics should be considered part of a series of technical and user based defences against attacks, but recognise the limitations of such measures.

Similarly, whilst organisations should ensure training is supported by hardened technical defences, malicious actors are increasingly employing techniques to evade automated detection and prevent analysis of attack methodology. As such, organisations should accept that a successful whaling attack is a possibility, and put in place checks and processes to mitigate the damage.  


Whaling examples

The following real-life whaling attempts show the intricate changes perpetrators try to make to trick a CEO. For the full list refer to

Whaling email example

Whaling attempt where the attacker has created a Hotmail account that could appear to be a CEO webmail service.


Whaling email example

Whaling attempt by dropping in an extra “s” at the end of the email address.


Whaling email example

Whaling attempt where the attacker has registered a similar domain name, replacing the “o’s” with similar and easily overlooked zeros.


Whaling email examples

Whaling attempt where the attacker has registered a similar-looking domain name to the actual White Chemicals.



Was this guidance helpful?

We need your feedback to improve this content.

Yes No