Articles & Thought Leadership | 10 min read

What Is a Whaling Attack? How to Spot Executive Phishing


Lauryn Cash
Lauryn Cash

A whaling attack, also known as CEO fraud, is a common type of phishing attack. Learn more about whaling and tips to protect your business.

Is your company prepared for a whaling attack?

Another day, another attempt to steal your data, right? If you’re a C-level executive, you’re probably already aware that the risks of phishing and email spoofing are a reality for every organization. According to their Internet Crime Report, the FBI reported 241,342 phishing complaints in 2020, with adjusted losses of over $54 million.

A whaling attack, also known as CEO fraud attack or executive phishing, is a specific type of phishing attack that’s surprisingly common — and effective.

Today we’ll talk more about whaling attacks, including:

  • What is a whaling attack?
  • Consequences of whaling attacks
  • How to recognize a whaling attack
  • Whaling attacks in the wild
  • How to protect your company from whaling attacks

What Is a Whaling Attack?

Whaling attacks attempt to steal sensitive information from high-profile individuals (like CEOs and CFOs), usually within one company. “Whaling” refers to the attack's size, as its victims or “whales” are picked for their authority and access to valuable data and, ultimately, money.

In a whaling attack, cybercriminals trick users into divulging information like bank account data, PII, or credit card numbers. Hackers send emails that appear to be from a legitimate source — like trusted vendors, human resources personnel, or even other C-suite executives — and include details that seem to affirm this legitimacy.

In reality, the attackers use social engineering tactics to gather information to impersonate these trusted sources. Once they’ve established their identity sufficiently, they may then proceed to request bank account numbers and employee payroll information, or they may even ask to authorize wire transfers to fraudulent bank accounts.

Whaling is usually more difficult to detect than standard phishing attacks, as whaling attacks often do not include weaponized attachments or malicious URLs, evading many email security software tools.

Phishing, Spear Vishing, and Whaling — What’s the Difference?

Even if you’ve read our other articles on phishing and spear phishing attacks, you may need a reminder of how these three types of phishing tactics differ.

  • Phishing: A type of cyberattack that tries to convince a victim into taking action, like revealing sensitive corporate or personal data via deceptive websites and emails.
  • Spear phishing: Phishing that targets specific individuals, like members of a particular department or industry.
  • Whaling: Spear phishing that targets specific high-profile individuals.

Consequences of Whaling Attacks

Successful whaling attacks can result in:

  • Data Loss: In addition to critical data loss, the theft of intellectual property or trade secrets can have long-lasting repercussions.
  • Financial Loss: Divulging sensitive information can lead to catastrophic financial losses, not only from a “successful” whaling attack but from the security remedies required to prevent future data breaches.
  • Reputation Damage: Reporting a whaling attack to the public can be devastating to a company’s reputation and trustworthiness, especially if the theft of customer information is involved.

How to Recognize a Whaling Attack

Like our SPEAR steps to recognize a spear phishing attack, use this handy WHALE acronym to help you identify a whaling attack:

  1. Who sent it?
  2. Have a look at the subject line
  3. Attachment inspection
  4. Look at the content
  5. Elect to confirm the request

1. Who Sent It?

A commonly used tactic in whaling attacks involves spoofing — sending an email from a domain name that looks like a well-known organization or business. Not only are email addresses manipulated to look real to a casual observer, but email graphics are designed to copy those that come from trusted companies.

For example, lowercase letters “r” and “n” next to each other in an email address can look like the letter “m” at first glance (like “arnazon,” “walrnart,” or “bankofarnerica”).

Cybercriminals sometimes also send whaling emails from Gmail or Yahoo accounts. These email domains pass any authentication checks and - if the email branding and content is convincing enough - the victims might not even look at the sender domain before committing to the requested action.

2. Have a Look at the Subject Line

Subject lines in whaling scams attempt to strike fear or urgency to prompt the recipient to act without thinking. Using words like “Urgent” or “Important” are common red flags that capture readers' attention.

In addition, using language like “Request,” “Follow Up,” or “Fwd:” attempts to create familiarity, making the recipient feel that a conversation has already occurred.

3. Attachment Inspection

While attachments aren’t as common in whaling emails as spear phishing emails, they can occur. Malware lurks in .zip files, .exe files, PDFs, Word documents, and Excel spreadsheets.

Also, watch out for forms that request sensitive information, even if they seem trustworthy at first glance. Cybercriminals use free online services like Google Forms and Typeform to collect sensitive data that often evades standard email security filters.

4. Look at the Content

Don’t be fooled! Remember: Scammers can quickly glean personal details like addresses, phone numbers, names of family members, and even pet names from social media accounts and public records.

5. Elect to Confirm the Request

Even if you’ve gone through all of the checks above but something still doesn’t feel right, go with your gut. If in doubt, send a new email to the address you have on file (don’t reply to a suspicious email address!) to confirm whether or not a request is legitimate.

There’s always the old-school way: If you have the sender’s contact number, call (gasp!) or text them to double-check your suspicions.

Whaling Attacks in the Wild

Here are some examples of recent whaling attacks you may have seen in the news.


Grain industry giant Scoular lost $17.2 million when Scoular’s controller received an email from their (phony) CEO to send money to a (bogus) accounting firm. This was a sophisticated hack, leveraging time and effort to employ third-party emails and incorporate live people to impersonate accountants. Ultimately, the business lost $17.2 million when hackers sent the funds to offshore accounts.

Levitas Capital, Australia

The co-founder of an Australian hedge fund followed a phony Zoom link that installed malware on Levitas’ network in November 2020. Hackers attempted to steal $8.7 million via fraudulent invoices. While they only took $800,000, the damage to its reputation resulted in Levitas losing their biggest client, forcing the company’s closure.

Pathé, European Cinema Company

Posing as high-ranking employees, hackers emailed Pathé’s CFO and CEO, requesting a confidential financial transaction. Despite suspicions, the executives transferred approximately $800,000 to the attackers, which was only the beginning of corporate losses from the incident. Pathe ultimately lost $21.5 million in the attack’s aftermath.

How to Protect Your Company From Whaling Attacks

As stated in our article Spear Phishing 101: What It Is and How to Prevent It, there are five basic steps you should take that will also help guard against whaling attacks:

  1. Provide security awareness training to employees
  2. Use MFA (multi-factor authentication) before enabling access to protected resources
  3. Implement strict password policies and change passwords regularly
  4. Maintain regular patch management and backups for best recovery results
  5. Install trusted email security controls to protect your human layer from compromise

Investing in email security software like Armorblox is your best bet in defending against whaling attacks. Armorblox goes beyond manual policies and binary blocklists to protect your human layer. It analyzes thousands of signals learned from every organization’s and user’s communication patterns, automatically remediating threats before they cause harm.

To learn more about how Armorblox stops whaling attacks, take a 5-minute product tour below.

Take 5-min product tour

Experience the Armorblox Difference

Get a Demo