What is Whale Phishing? Definition and Examples

Phishing is a real threat to businesses around the world, and the UK may be experiencing more than its fair share of this type of threat. A UK government report says that 32 percent of businesses and 24 percent of charities experienced this type of attack between 2022 and 2023. However, there are sources reporting much higher figures, possibly because not all phishing attacks are reported to the authorities. And while some types of phishing are relatively easy to spot, whale phishing represents a particularly dangerous threat. So, what is whale phishing, and what should you look out for?

Does your job title have a “C” in front of it? Perhaps you’re a CFO, CEO, or COO. Your company is proud to have your expertise. They’ve given you high-level decision-making powers, and everyone knows you’re in charge. But so do scammers and hackers. And they’re geared to catch you out, stealing money or infecting your company’s systems with malware through you. It’s a threat that can’t be overstated. The UK’s National Cyber Security Centre warns that Whale phishing is among the biggest threats to organisations in the UK.

To understand it better, we can begin with a whale phishing definition before diving deeper to see what this type of scam looks like. 

Whale Phishing Definition

Whale phishing targets senior executives, the big guys or “whales.” It’s a social engineering fraud that encourages you to take an action such as issuing an instruction for a payment to be made or even simply clicking a fraudulent link or opening an unsafe attachment. It’s usually initiated through a legitimate-seeming email – something that looks perfectly routine. And, because the people behind that mail have done their research, it can be very difficult to spot. 

Whale Phishing Examples

Providing recent examples of whale phishing is complicated by the fact that many successful whale phishing attacks never hit the headlines. It’s one of the reasons why whale phishing is so effective. Few organisations would be willing to publicly disclose the fact that their senior management were taken in by an email from a scammer or hacker. And, since any money that has been stolen is nearly impossible to recover, it doesn’t serve a company’s best interests to go public with information about attacks. 

However, we do have a whale phishing example to share – this time from a federal department leader in the US whose credentials were stolen in a whaling attack. In this instance, scammers posed as the leader, ordering large consignments of goods to be delivered to an address in Atlanta. 

Adding a new dimension to whaling, AI can imitate people’s voices as well as their writing styles. Scammers can send a whaling email, and then follow it up with a call to confirm its content. With an above board seeming email plus a voice call from someone whose voice they recognise, it’s no surprise that organisational decision-makers can be duped into following a scammers’ prompts. 

In this example, it’s clear what the scammers wanted: large deliveries of valuable equipment that they could hope to resell. But there are many objectives lying behind whaling attacks – and that’s what we’ll explore next. 

What Scammers Want When They Launch a Whale Phishing Attack

While some whale phishing scams strive to get money or goods by targeting top executives, others are looking for high-level access to data – either through direct disclosure or by stealing their credentials using malware. Should they succeed, bad actors can obtain a high level of control over the organisation and its sensitive data. 

In a more direct and overt attack, malware inadvertently installed through a leader’s actions can include ransomware. Operations grind to a halt and the organisation is held to ransom. But some attacks are far more subtle. For example, whaling is a tool used by unscrupulous people who undertake corporate espionage. They might gain access to confidential information that they can use themselves or sell. A keylogger hidden in an innocuous-seeming attachment could show them what the leader is saying – and give access to privileged information.

Finally, whale phishing can serve people with personal vendettas who hope to destroy the victim’s professional reputation and with it, the reputation of the organisation they lead. 

Spear Phishing vs Whale Phishing

Like spear phishing, whale phishing relies on emails that are crafted to seem routine but that contain malware, aim to steal credentials and data, or gain approval for false payment demands or orders. However, whale phishing specifically targets top executives and is sometimes termed “CEO fraud” as a result.

Both forms of phishing are sophisticated and are carefully designed to seem above board. And both target specific individuals – although spear phishing might include several people within a specific department. But when bad actors are targeting a “whale” the potential for reward is much greater and they are likely to exercise a great deal of diligence to gain a single target’s trust. After all, a “whale” is a “big fish.”

How to Recognise a Whaling Phishing Attack

Unfortunately, whaling phishing attacks are often very sophisticated and can be extremely difficult to spot. However, if scammers are careless or too pushy, they may leave behind some clues. For example, an email domain name might be subtly different to the one used by a legitimate sender. But look closely: “rn” can look a lot like “m” or “nn” might be easy to mistake for “m” too. However, you should never forget that a legitimate email address can be hijacked. In this instance, you won’t notice anything odd about the sender’s address.

Any request for payment or access to sensitive data should be viewed with suspicion – especially if the sender attempts to instil a sense of urgency or a threat of loss should you fail to act fast. 

However, despite your vigilance, whale phishing attacks are well-researched and designed to appear believable – and that’s why so many of them succeed. 

Defending Against Whaling Attacks

Despite it being difficult to spot a whaling attack, employee training can be a big help. Apart from standing a better chance of identifying an attack, employees can learn how to work more securely so that bad actors are unable to obtain the type of information that makes whale phishing look so authentic.

You can also add a layer of security to your data – an asset some whale phishing scams specifically aim to steal. Multi-factor authentication can prevent hackers who have already stolen credentials from accessing the data they’re targeting – and the failed logins can signal that you’re under attack. 

Limiting the chance of receiving whale phishing emails is a good call, and strong email filtering can quarantine messages, spotting their suspicious nature through analysis of content, domain checking, and other authentication protocols. It can also evaluate links and attachments for suspicious content and implement anti-impersonation measures. 

Finally, your work systems can go a long way toward blocking whaling attacks. For instance, you can institute a set of procedures to verify whether a call to undertake a transaction or share data is genuine. 

Advantex’s “Protect” programme is designed to give you the protection you need against the type of attacks that are happening right now. And, it keeps developing to safeguard you against up-and-coming threats that use new methods. But it doesn’t end there. Allow us to evaluate your systems for vulnerabilities, educating you and your employees so that you can close those loopholes and protect your organisation. We offer a free 14-day trial. Contact us today and put us to the test. 

Read about other types of Phishing: Spear Phishing, Clone Phishing, Vishing, Smishing.

Read more about Cyber Security

Address

Advantex Network Solutions Limited
16B Follingsby Close
Gateshead
Tyne and Wear
NE10 8YG

Phone

0345 222 0 666