Whale phishing is a type of phishing attack that focuses on high-profile employee targets, such as the CEO or CFO. Since individuals in the C-suite are significant to the company leadership, they are called “whales”. So, phishing attacks on these folks get called “whale phishing”
As a security professional, you have the mandate of keeping your colleagues’ and executives’ inbox safe from these kinds of attacks. Achieving this goal means knowing how attackers work and how to prevent a whale phishing attack at your company. Here are the stats and facts you need to get started.


How does whale phishing work?

While fraudulent emails might make you think of the Nigerian prince scams of decades past, whale phishing emails are much more sophisticated and targeted. Whale phishing requires extensive research on the victim because the attacker needs to know who the intended victim communicates with and the kind of discussions they have. For example, the attacker might look into public records for references to customer complaints, legal subpoenas, or even a problem in the executive suite. The attacker might also gather details on the target by reviewing the victim’s social media accounts.
The goal of this stalking is to figure out how to better trick the executive in order to steal data, employee information or money. For example, a whale phishing email to the CTO might reference an existing patent dispute and request sensitive information on product development. The goal: capture sensitive information or credentials that could be lucrative if sold on black markets.
With this level of sophistication in an email, the executive can be fooled into believing that it comes from a trusted source that the executive expects to communicate with. Below is an example that came from the Department of Homeland Security

If a whale phishing attack is successful, the executive takes an unwanted action. By clicking on a link, the victim will be sent to a website that looks like an official one the victim often interacts with and provide their credentials. By opening an attached file, the attacker can then install malware that enables further tracking of the victim’s inbox. Alternatively, the attacker might successfully get the executive to respond to a request for a wire transfer.

Why is whale phishing successful

Whale phishing attacks are successful because they are well-planned attacks. The attackers know their victims’ behavior, their patterns as well as business headlines relevant to the victim. This makes it hard to tell the difference between a whale phishing email and a real email.
For example, in 2015 a finance executive at toy company Mattel wired $3 million to a bank in China. The wire transfer required two signatures. One had seemingly already been provided by the company’s new CEO. The finance executive provided the second signature. Later in the day when the finance executive mentioned the transfer to the new CEO, the CEO said he had never authorized the payment.
The attack was initially successful because the attacker had done a lot of research on Mattel and realized the tumult the company was undergoing. The attackers had researched the company’s org chart, how Mattel required signatures for payments, and social media to learn the names of key individuals (as well as compromise corporate email) in order to make the request look as legitimate as possible.
The attackers also knew the company was had just brought in a new CEO and was looking to expand aggressively into China. So, a request for a wire transfer to the Bank of Wenzhou seemed logical. Unfortunately, the request was fraudulent. However, Mattel was able to eventually get their money back.
These types of methodical, well researched attacks cannot be stopped by traditional anti-phishing solutions such as email-filters, DMARC or awareness education. Attackers are very clever and routinely outsmart these tools. As has been pointed by many experts:

Despite all the awareness campaigns, people still fall for phishing attacks, especially if they impersonate someone they know.


BEC vs Whale phishing

Business email compromise (BEC) is similar to a whale phishing attack in that both target executives. However, BEC attacks look to impersonate the executive. Whale phishing, on the other hand, focuses on tricking the executive.
Both BEC and whale phishing require researching their victims in order to be successful. Typically, in BEC attacks, the criminal compromises the email account of the executive. The attacker monitors the executive’s email in order to learn about company’s protocols as well as other relevant information such as disputes or legal issues.
The attacker might then capitalize on information gleaned from this intel by sending a fake email to a regular recipient and request a money transfer. The email appears important and urgent but the money ultimately lands in an attacker’s bank account.

Phishing vs Whale phishing

The difference between phishing and whale phishing is that whale phishing targets individuals in the C-suite of the organization. The attacker may pretend to be a customer of the organization or the C-suite exec. Phishing however will go after individuals who play a less significant role in the organization.
Additionally, whaling attacks will reference the executive by name and use their title and position in the message. Regular phishing emails will typically address the recipient in a generic method such as ‘Dear Customer:’
Phishing emails are often easily spotted. The challenge of whale phishing is that the emails are tactical and focused on the executive.

How to defend against whaling attacks

Given that attacks are meant to trick the C-suite, the enterprise needs a way to confirm the identity of individuals sending the email. One effective way for the C-suite to avoid these attacks is to ensure they use a secure messaging platform for communicating sensitive data. An email platform built on end-to-end encryption provides just that.
By using an email platform built on end-to-end encryption, users ensure that their identity is confirmed by a private key stored on their device. This private key cannot be spoofed or stolen. As a result, individuals are who they say they are. A third-party attacker cannot take on the identity of the company’s lawyer or trusted partner over email because these attackers do not have the private key of the lawyer or partner on their device.
This level of protection is critical for companies to remain competitive and protect their intellectual property.


Whale phishing is an ongoing battle for security teams. Knowing what these emails are and how they differ from other types of social engineering is the first part of the battle. Protecting the inbox is the next step. Contact PreVeil to get started today.