Whaling Phishing Attacks: A Complete Guide

bs-single-container

Whaling Phishing, aka Whale Phishing, attacks are on the rise. In the 12 months between Q1 2020 and Q1 2021, there was a 131% rise in whaling campaigns. The increased volume and sophistication of these attacks have compelled companies to look closely at their cybersecurity defenses.

This comprehensive guide will take you through the basics of whaling phishing attacks and how you can keep your company safe from them.

What is whaling phishing?

A whaling attack is an advanced form of phishing that is precisely engineered to target the most critical individuals in companies, such as C-suite executives, high-ranking managers, and employees with high-level access. This attack includes instances when actors impersonate senior employees to victimize junior colleagues. When approached by their managers or senior executives, junior staff are less likely to be doubtful or ask questions. Attackers exploit this social vulnerability to their advantage.

Even though whaling sounds like phishing, there are some critical differences between them. Phishing isn’t a targeted campaign. It casts a wider net, often spamming entire mailing lists with the same email. Even if only a fraction of the recipients falls for the scam, it is deemed successful.

On the other hand, whaling is a laser-focused spear-phishing campaign that only intends to target senior employees in an organization. This attack is very specialized and uses in-depth social engineering and impersonation tactics to get the intended results. These attacks can take months of research and careful planning. Hackers use this technique to either gain access to data or steal money.

The consequences of whaling phishing campaigns

The whaling attacks in the 2020-21 financial year cost organizations around $1.8 billion. But it’s not just monetary damage that companies need to look out for:

Financial consequences

Most whaling attacks use social engineering to compel victims to transfer large sums of money to bank accounts.

Reputational consequences

There have also been cases of firms losing out on customers after falling prey to whaling attacks. Such attacks are embarrassing and point to a clear gap in cybersecurity in the company.

Malicious actors can also cause data /breaches with whaling attacks. Once an employee unwittingly downloads malware onto the system, hackers can gain access to sensitive data.

Examples of whaling phishing attacks

Whale phishing attacks can cost companies millions. The FBI reported that since 2013, over $12 billion had been transferred to external agents using successful whaling campaigns in the US, UK, and Europe.

Here are a few real-life attacks that caused massive damage to corporations.

Snapchat

In Fe/bruary 2016, Snapchat was hit by a whaling phishing attack. An attacker impersonating the CEO Evan Spiegel sent an email to an HR employee asking for payroll data of several past and current employees, including stock options and W-2s.

Ubiquiti Networks

Back in 2015, Ubiquiti fell prey to a sophisticated CEO scam. Impersonators convinced the financial department of one of its Hong Kong-based subsidiaries to transfer $46.7 million to unrelated overseas accounts. The company did manage to recover $14.9 million but could not undo the reputational damage.

FBI subpoena scam

In one of the first documented whaling attacks in 2008, the FBI subpoena whaling campaign targeted nearly 20,000 CEOs. Of them, 2,000 fell for the scam and clicked on the malicious link expecting it to download a secure /browser add-on, and instead, it installed a keylogger on their devices that recorded their credentials and passwords.

FACC whaling attack

Another attack that rocked the corporate world in 2016 was the FACC attack. FACC is an Austrian aerospace manufacturer well-known for producing parts for Airbus and Boeing. It was another case of the classic CEO impersonation that led to the transfer of $55.8 million to unmarked overseas accounts. Several employees were later fired, including the CEO and CFO.

Levitas Capital attack

Levitas Capital, an Australian hedge fund, fell to an extensive whaling attack perpetrated via a malicious Zoom link. Even though the company recovered most of the money, it shut shop due to reputational damage.

How to spot a whale phishing attack?

The entire point of a targeted executive whale phishing attack is to be nearly impossible to spot. The right social engineering tactics and personal information skimmed off social media make identifying a whaling attack very hard. By using commonly preferred communication channels and near-perfect impersonation of senior executives, attackers can dupe employees into sharing sensitive information, downloading malware, or transferring money. But this is not to say that the proper training cannot prevent an attack.

Here are six ways to identify whaling phishing emails that can help employees at all levels take preventive action at the right time.

Emails sent from outside the corporate network

Almost all phishing emails originate from beyond the company network. While these emails are disguised to look as genuine as possible, there will still be clear markers that can be picked up to flag it as an external email. Most email protection services have inbuilt mechanisms to mark such emails for further scrutiny. Employees should be taught to flag down any email that has not been sent from a company server.

Emails containing sensitive requests

Emails about sensitive requests such as payroll data and money transfers are commonplace in the upper echelons of management. One thing to remember here is that no sensitive request will ever be forwarded without a full-fledged discussion beforehand. For instance, executives will discuss payment clearance involving millions of dollars properly before taking further steps. Emails that contain such requests that have not been corroborated beforehand are a clear sign of a whaling attack. It’s always advised to cross-check such requests before executing them.

Emails from similar domain names

This is another sign that a phishing attack is underway. Since the attackers send emails outside the organization’s network, they cannot use the actual domain name. They will try to use a similar domain name with small, unnoticeable changes to make it as believable as possible. It’s essential to keep an eye out for such emails, which should immediately be flagged and reported to the security team.

Often, emails with suspicious links lead to trouble. No one should trust emails containing URLs and hyperlinks blindly. The first step is to check whether the link matches the context of the email or not. The next step is to check whether the link URL itself appears suspicious or not. Thirdly, ensure that the URL begins with HTTPS to verify its legitimacy.

Many attackers, when working against low-level employees, will hyperlink the entire email, greatly increasing the chance of an accidental click. If that does happen, employees must immediately take it up with the cybersecurity team.

Emails with unsolicited attachments

Many advanced phishing emails can deliver malicious payloads via word, pdf, or zip files. When dealing with emails that contain uncalled-for attachments and downloads, users should first reconfirm the attachments with the sender. Only after the authenticity of the attachment is established should it be downloaded.

Emails with different writing styles and word use

This point might be harder to notice but is one of the best ways to spot sophisticated whaling phishing emails that can otherwise go unnoticed. People use the same communication channels and writing styles daily, and it’s easy to pinpoint these idiosyncrasies. When looking at a phishing email impersonating a colleague, look for differences in writing style. It can be as simple as using ‘hello’ instead of ‘hi’ or a grammatical error that’s usually never there. If the message sounds different, it’s a good idea to verify the contents of the mail with the sender before taking further steps.

How to prevent whaling phishing attacks?

Even with the most sophisticated cybersecurity measures, global corporations continue to fall prey to whaling attacks. For instance, the Levitas Capital attack in 2020 /brought whaling phishing back into the headlines.

Here’s how you can prevent targeted whaling attacks from crippling your organization:

Follow the latest cybersecurity measures and protocols

Apart from installing robust firewalls and anti-malware software, you should also use DNS authentication services that use DMARC, DKIM, and SPF protocols. Email scanning and filtering technology coupled with anti-impersonation software can also prevent a whaling attack. Backing up all databases securely goes a long way in limiting damage in case an attack occurs.

Awareness and education about whaling attacks

According to the Verizon data /breach investigation report, 30% of whaling emails get opened, and 12% of the people end up clicking on malicious links. All employees, especially those with access to sensitive data, should be taught how to recognize suspicious emails and other communications. They need to be given hands-on training with clear instructions to follow in case of a potential attack. Moreover, they need to be aware of the incident response plan and the chain of command.

Conducting dummy whaling phishing tests

This is an often-overlooked method that can create a sense of urgency and awareness amongst employees. You should conduct fake whaling attacks regularly to keep employees on their toes. Such tests can also help zero in on potential employee targets that represent the weakest links in the chain and require additional sensitivity training.

Healthy social media usage

Even though social media is a personal arena wherein employees can make their own choices, it’s best to teach them best practices to minimize the impact of potential social engineering tactics. Attackers use publicly available information from LinkedIn and other social media profiles to build authentic-looking messages to initiate attacks. You should tell higher-level employees to keep their profiles private and free of any information that can be used against them.

Implementing stringent data protection policies

This forms the last line of defense before an imminent attack. Introducing an organization-wide data privacy culture can keep key information from reaching malicious actors. Larger organizations can benefit greatly from assigning a security officer solely responsible for cyber and data hygiene.


Despite all measures, organizations can find it incredibly hard to keep up with the pace of evolution of whaling phishing attacks. Every year, these attacks don’t just expand in their scope and volume but also become increasingly intelligent and coordinated, making it harder to identify and take them down manually. Corporations require a robust solution that uses advanced AI and automation to detect and take down phishing sites in real-time.

Bolster’s phishing and scam protection solution enables real-time detection and takedown of phishing sites with its fully automated AI engine that can conduct the entire process in mere minutes. Moreover, it integrates all the security data into an intuitive dashboard that gives you complete visibility across all relevant metrics.

To learn more about how Bolster can keep your organization safe from targeted whaling phishing attacks, book a demo today.