search
Where Thought Leaders go for Growth
Reference a solution

Whaling, or when hackers target the big fish

Whaling, or when hackers target the big fish

By Ainhoa Carpio-Talleux

Published: April 30, 2025

Cybersecurity risks can be found at every level of a company. Whaling is a type of attack that specifically targets key members of the organization. That's precisely what makes this technique so dangerous.

What does it actually involve? How can you protect yourself? Find out how to protect your company's big fish with our comprehensive guide to whaling.

What is whaling?

Definition of whaling

Whaling is a form of social engineering cyberattack that falls into the category of phishing. The specificity of this type of threat is that it is aimed at a clearly identified group of individuals: whales.

The term "whale" designates a decision-maker, a member of corporate management, or any individual with responsibilities within an organization.

These targets are more vulnerable than you might think. First of all, they are not used to this type of threat, unlike employees at a lower corporate level who face it on a daily basis.

The other point of vulnerability concerns the nature of the message, which is much more personalized than with classic phishing.

Finally, the information and data recovered by the hacker will be more sensitive, as the victim has more restricted access than other members of the company.

Warning signs of a whaling attack

To help you recognize a whaling attack, here are its main characteristics:

  • An e-mail that appears to come from a senior executive.
  • A message whose content expresses urgency.
  • A request that is outside the company's processes.
  • An inability to contact the sender (meeting, unavailability, etc.).
  • Request for transfer to an unknown account.

Whaling, phishing, spear phishing: what are the differences?

Phishing is a fraudulent technique designed to deceive a member of an organization by pretending to be a trusted third party. The aim is to obtain valuable data (access accounts, passwords, etc.) and/or banking information.

Classic phishing is carried out via general messages that imitate documents from banking institutions, the state or a delivery service. They are generally sent en masse to multiple recipients.

Spear phishing is a more targeted category of phishing. It involves usurping the identity of a contact (colleague, business partner) to retrieve personal information about a specific individual. The message is generally personalized and therefore more difficult to detect.

Whaling is another sub-category similar to phishing, but targeting the "big fish" in the corporate world. It requires much greater preparation on the part of the hacker.

How does whaling work? 4 steps

Identifying and gathering information

The first step in a whaling attack is to gather information about the target. To do this, the attacker first concentrates on public sources such as the company's website, which usually features the complete organizational chart. He also relies on confidential reports available online (but with unrestricted access) and databases available on the dark net.

Creating a strategy

After synthesizing all the information gathered, he draws up an attack strategy.

☝️Prenons is a good example.

By consulting the target company's website, the cybercriminal identifies that the CEO is very active on LinkedIn. He shares his conferences, international speeches, partnerships and so on. At the same time, the cybercriminal exploits an activity report where he discovers the name of the company's CFO, who manages transfers for international contracts.

While the CEO is traveling in Germany, the cybercriminal sends an urgent message to the CFO, imitating his style and incorporating real, verifiable elements.

The message requests a payment to a different account, under the pretext of an emergency during the trip.

It's a simple strategy that could prove highly profitable for the hacker.

Crafting the message

The central point in a whaling strategy is the creation of the message, i.e. the e-mail address, the subject, the tone and the linked document. Here's how each part must be meticulously created:

  • Spoofing the e-mail address: the hacker slightly modifies the CEO's real e-mail address so that the modification is as unobtrusive as possible (adding a hyphen, a ".", etc.).
  • Choice of subject: the subject of the e-mail must be credible, simple and direct. For example, "Invoice awaiting payment". It can also include a sense of urgency ("Invoice awaiting payment - Urgent").
  • A professional tone: the hacker should adopt a level of language that matches that of the CEO in his usual messages. He can incorporate real, concrete elements, as well as jargon typical of this type of exchange between collaborators.
  • An urgent request: the urgency doesn't have to be explicit to avoid arousing suspicion. However, it must be sufficient to ensure that the request is carried out within a relatively short timeframe (a few days).
  • Falsified invoice: in the case of a transfer of funds, the message must include an invoice that exactly reproduces the format of previous invoices (logo, references, etc.). Only the bank details are modified.

Manipulation (why does it work?)

Whaling attacks, and phishing attacks in general, work because of the human factor. The attacker plays on trust by using an appropriate tone and vocabulary. The request may be unusual, but it's consistent. The fact that it usually comes from a superior adds a dimension of stress that increases the victim's confusion and lulls him or her into a state of alertness.

A few days after the first e-mail, if no response has been received, the cybercriminal sends a polite and professional reminder asking, for example, whether the invoice has been received.

Psychologically, this is a decisive factor, as this second message makes the exchange part of a normal, routine process: a simple task for the victim to carry out. This is precisely what makes whaling so dangerous.

Examples of whaling attacks

To protect yourself against a threat, you first need to be aware of it. Whaling can absolutely affect any business, any organization that doesn't take sufficient precautions to guard against it.

💡Not convinced? Here are several examples of successful companies, leaders in their sectors, that have suffered whaling attacks and lost millions of euros:

  • FACC, an Austrian manufacturer of aerospace parts, was targeted in 2016. The company's finance department sent $47 million to cybercriminals.
  • That same year, a member of Snapchat's payroll team sent the banking information of the company's employees to a hacker posing as CEO Evan Spiegel.
  • Between 2013 and 2015, Facebook sent over $100 million to a hacker posing as one of their former suppliers.

Why is whaling on the rise?

Phishing is the most common type of online attack. There has been a 131% increase in whaling cases in recent years, which is linked to several factors.

The main reason for this increase is the growing digitalization of the professional world and the rise of teleworking. In this context, where teams no longer communicate directly in the workplace, but only by e-mail, the risks are multiplied. To save time, security protocols are ignored, which tends to reduce vigilance in proven cases of identity theft.

Another factor in the spread of phishing and whaling is the introduction of AI tools into the manipulation strategy. Searching for information, analyzing documents, reproducing a writing style... AI enables hackers to optimize their processes. Some AIs are even capable of generating ultra-realistic videos, with cloned faces and voices. All hackers have to do is simulate a video call from a superior to request a transfer of funds or validate a sensitive operation.

The final element that explains the "success" of whaling is, of course, its earnings potential. Where mass phishing can earn just a few hundred euros per victim, whaling can earn millions in a single operation.

How to protect yourself against whaling: our 5 cybersecurity tips

Train all managers and employees

The first line of defence against cyberthreats is human. Vigilance can prevent many risks, especially when it comes to social engineering attacks. All employees must be made aware of classic phishing and spear phishing techniques. However, managers and executives in particular need to be trained in the risks of whaling. It is essential to involve them with concrete whaling cases and the organization of attack simulations. By being directly confronted with a threat, they will become truly aware of the risks to which they are exposing themselves.

Controlling your digital footprint and protecting your data

To establish an effective whaling strategy, hackers need information and documents to exploit. To make their task more complex, control the data you publish on social networks and on the company website.

In addition, make your executives aware of the dangers of sharing too much professional and personal information on their networks.

To do this, put in place a clear data disclosure policy so that everyone in your organization knows what they can and cannot share.

With this approach, whaling emails will be much easier to recognize, as they will no longer contain valid info.

Establish strict verification protocols

A whaling attack always takes place outside the company's usual procedures.

That's why it's essential to establish strict protocols (especially for financial requests) and to respect them without exception.

For sensitive communications, setting up a password or secret code also adds an extra layer of security.

Never agree to change your processes on the basis of a simple e-mail or telephone message. This type of request must be official and validated, in person, by a line manager.

Strengthen your company's technical security

Digital technology is now everywhere, and cyber risks are multiplying. Companies that use the cloud and a complex ecosystem of applications can no longer do without high-performance cybersecurity.

Whether it's to combat malware, ransomware or phishing, your company needs a complete arsenal of protection tools.

In concrete terms, to guard against whaling, the essential security features are :

  • A multi-factor authentication system for critical applications.
  • An advanced email filtering solution to detect spoofing attempts.
  • A tool to block risky domain names in real time.

Apply a "least privilege" policy

This type of policy is difficult to implement within a company. However, it's the best way to prevent the spread of information that could end up on the dark web. Here's an outline of how to implement this "least privilege" strategy:

  • Limit access to sensitive resources to those who really need them.
  • Segment information systems to limit propagation in the event of compromise.
  • Regularly review access rights for high-privilege accounts.

7 tools to help you with your anti-whaling strategy

Altospam

Altospam has developed Mailsafe, a software program that protects your corporate mailboxes against phishing, and whaling in particular. It combines effective heuristic and behavioral analysis to detect e-mails with suspicious content. It incorporates AI functionality for even more impressive detection performance (- 0.01% false positives). Altospam offers optimum integration with leading email tools such as Gmail and Outlook.

Barracuda Email Protection

Barracuda Network offers a complete IT security solution. One of its modules is specially designed to address the risks of phishing and whaling: Barracuda Email Protection. The software is based on 3 features:

  • A complete detection mode (heuristic and behavioral).
  • Protection against identity theft.
  • A domain name validation system.

To take security to the next level, Barracuda offers "Impersonation Protection", an AI-based analysis model.

Anti-phishing Check Point

Check Point 's " Harmony Email & Office" technology protects your business from the most sophisticated phishing attacks. The software blocks identity theft attempts before they reach your staff.

Check Point offers comprehensive protection for all your vulnerabilities: email, mobile devices, workstations.

Every message is analyzed in depth using robust, high-performance AI technology that examines over 300 phishing threat indicators.

Protect (Mailinblack)

Mailinblack's Protect is an anti-phishing solution that filters out fraudulent e-mails with great efficiency. Its detection features are powered by deep learning technology trained on billions of emails a year. Your teams are protected from phishing, spearphishing, whaling, ransomware and spam.

Protect offers :

  • Real-time detection with behavioral and contextual email analysis.
  • Intelligent filtering using artificial intelligence.
  • Comprehensive analysis of attachments and links.

Mailinblack also offers a more advanced version of its software, Protect Advanced.

Phished

Phished, as its name suggests, is an expert in phishing and whaling. What's special about this platform is that it prioritizes training over technology to protect your computer system. Its slogan is: "Build your own human firewall".

The results of this approach speak for themselves. Currently, over 3,500 companies have implemented its defense strategies and have seen a significant drop in the rate of successful phishing attacks.

GravityZone Small Business Security (Bitdefender)

GravityZone Small Business Security is a cybersecurity solution specially designed to meet the needs of small and medium-sized businesses. Thanks to its easy-to-use interface, it does not require the intervention of an IT team. The software offers comprehensive protection against all cyber threats, with a focus on phishing. For this type of attack, GravityZone Small Business Security blocks access to phishing sites and displays clear warnings to users.

Cofense

Cofense is a protection solution that uses examples to educate and train employees. Its flagship platform, Cofense PhishMe, offers realistic, personalized simulations of phishing attacks. The company also offers a platform for reporting phishing and whaling attempts, to anticipate future phishing techniques.

Whaling in brief

Whaling is a threat not to be taken lightly. It is generally believed that senior management teams are less exposed to IT risks, as they are more vigilant for reasons of responsibility. But this is precisely what makes them so vulnerable to well-prepared whaling attacks.

A fraudulent email, followed by a dunning message, then a phone call (or a deepfake videoconference) can fool absolutely anyone. There are only three ways to protect yourself: training, vigilance and technical protection. Don't take the risk of exposing yourself, and strengthen your human and technological security arsenal as quickly as possible.

Article translated from French