What is a Whaling Attack? Whaling Protection Tips

  • By Alison OLeary
  • Published: Apr 22, 2022
  • Last Updated: Nov 23, 2023

Whaling Attack

A whaling cyber-attack is a phishing attack designed to steal data and access a company's computer system. The FBI reports that these types of targeted attacks cost businesses almost $2.5 billion in a recent year after more than 320,000 attempted attacks. Companies lost an average of nearly $100,000.

Whaling is among at least ten ways social engineering can be used for nefarious purposes. Social engineering attacks are designed to persuade individuals within a company to provide access to sensitive data. These approaches work because:

  • The appeal includes a sense of urgency that encourages a person or employee of a company to act. If this happens before they consider all of the implications of giving access to a database or other infrastructure, a breach is likely.
  • These approaches purposely evoke emotions like a desire to get promoted or noticed by one's supervisor, greed, or fear. 
  • The scammers seeking access through social engineering attacks may pose as a leader of a partner company. Such a request for immediate access to a database is potentially intimidating to employees likely to divulge information like passwords.

What is a Whaling Attack?

What type of phishing attack is whaling? In general, phishing attacks are broad, attempting to trap anyone who opens the email. Still, whaling attacks are specific and aim at one high-profile individual within a target company. If successful, a whaling attack can result in a significant payday.

Phishing attacks seek information that will lead to financial gain for the scammer. They usually involve sending urgent-sounding emails requesting immediate help with an emergency. Employees who receive the emails may not stop to consider whether the request is a scam. 

There are many ways that scammers disguise a phishing attack, including:

  • By using spoofed email addresses, they may appear to be a supervisor or principal of the company.
  • Elaborate attacks may spoof the company's website. By asking employees to click on a link to test a new informational page, they may capture log-in information that provides access to sensitive data and accounts.
  • Spoofing a partner company's email, logo, or website, the scammer may request shared data or account information to be transferred.
  • They may sound more believable by incorporating information posted on personal social media accounts, like the names of friends and coworkers.
  • Researching information about the company and the individual, scammers may replicate the tone and content of important emails to evade suspicion.

Whaling attacks are specifically aimed at a particular high-level individual within a company. Successful whaling attacks are carefully crafted to take advantage of a person's position. The most successful whaling attempts capitalize on a specific day and time of day when work is hectic.

Scammers hope that their messages arrive at peak times when individuals take little time to examine them for authenticity. Examples of whaling attacks include:

  • An immediate, urgent request to transfer funds to pay an overlooked invoice that's due immediately.
  • An email asking for access to sensitive information because another employee has called out sick.
  • A request for review that includes a link. If the executive clicks on the link rather than verifying the email's origins, malware may be launched on the company's network, potentially allowing hackers to steal funds or data.
  • A request using a spoofed email that appears to belong to a colleague. This may seek quick access to an account of proprietary data or funding for an ongoing project.

How Does it Work

One of the most important elements of a successful whaling attack is timing. If an executive can be reached during a busy period and the email appears to be authentic, it's more likely to be acted upon than scrutinized.

The appearance of any phishing email is critical: if the language is not fluent, the appearance unprofessional, and the message anything but direct and urgent, it's unlikely to work.

what is whaling attack

Successful whaling and phishing emails must enact their scheme in one quick click. This action enables capturing log-in credentials, launching malware, or having the ability to accept and quickly hide a deposit of funds or information.

Examples of Whaling Attacks

Top-level executives have been caught in whaling schemes around the world. One Australian hedge fund collapsed after an executive was successfully targeted by a whaling scheme. The tripwire was a Zoom link that allowed scammers to pull about $800,000 from the firm's accounts, but they had aimed for $8.7 million. The damage was more than financial, as the company lost customers after news of the breach became public, so it closed.

American toy maker Mattel was targeted during a period when it was expanding into the Chinese market, and a new executive was settling into his role. Another top-level principal responded to an email request for a $3 million payment to a bank in China and released the funds. When the executive mentioned the transaction to the new executive, an investigation started. Fortunately, the following day was a bank holiday in China, so local authorities froze the account and recovered the money.

Ways to Protect Yourself

Company IT staff should take the lead in preventing all types of phishing attacks. The best approach to avoiding phishing attacks is multi-dimensional, including:

  • Add anti-phishing software to company servers. This detects phishing emails by examining email addresses for spoofs and flagging suspicious phrases like requests. Any suspected emails can be handled individually or flagged as potentially dangerous before being routed to an individual.
  • Educating employees and company principals will blunt the possibility of a phishing attack. If staff are aware of the potential and reminded of recent attacks at other companies, they will be alert to the possibility and will scrutinize incoming requests.
  • Set up a verification process that requires all employees to confirm a request for funds or sensitive data before responding to a suspicious email or text message.

Corporations are on high alert for email schemes, whether traditional phishing or whaling attacks. Still, many make it through the phalanx of email filters, company policies, and common sense. The FBI notes that these people-centered attacks are successful because employees are the weakest link in the system. Repeated training and enforcement of two-party authentication of such requests is the best way to prevent victimization.

About the Author
IDStrong Logo

Related Articles

How To Make Your IG Account Private

There are occasions when it makes more sense to have a private Instagram (IG) account. You might w ... Read More

Windows 10 Privacy Settings You Should Change Now

Privacy is a buzzword we hear a lot these days in the wake of data breaches, Wikileaks, and other ... Read More

How to Delete Your Facebook Account

It might seem absurd to some people who live on Facebook, deleting your Facebook account. But, man ... Read More

How to Change Network From Public to Private On Windows

Privacy has become a major concern for many of us after reading about all the data breaches, hacki ... Read More

Twitter Security and Privacy Settings Made Simple

With data breaches and ransomware intrusions in the news daily, privacy is the word on everyone&rs ... Read More

Latest Articles

Financial Business and Consumer Solutions Data Breach

Financial Business and Consumer Solutions Data Breach

Financial Business and Consumer Solutions (FBCS) was founded in 1982 as Federal Bond Collection Services and currently has over 100 employees.

Wattpad Data Breach

Wattpad Data Breach

Reportedly, in the top 160 most visited websites in the world, Wattpad prides itself as the world's most loved storytelling platform.

Teleperformance Breach

Teleperformance Breach

Teleperformance began its operations in 1910 in Paris, France, as a customer service management company. The company founded its United States division in 1993, which is situated in Salt Lake City, Utah.

Featured Articles

How to Buy a House with Bad Credit

How to Buy a House with Bad Credit

Buying your own home is the American Dream, but it might seem out of reach to those with bad credit. However, the good news is, if your credit is less than perfect, you do still have options and in most cases, can still buy a home.

How Secure Is Your Password? Tips to Improve Your Password Security

How Secure Is Your Password? Tips to Improve Your Password Security

Any good IT article on computers and network security will address the importance of strong, secure passwords. However, the challenge of good passwords is that most people have a hard time remembering them, so they use simple or obvious ones that pose a security risk.

Top 10 Senior Scams and How to Prevent Them

Top 10 Senior Scams and How to Prevent Them

Senior scams are becoming a major epidemic for two reasons. First, seniors often have a lot of money in the bank from a life of working hard and saving.

Free Identity Exposure Scan
Instantly and Securely Check if Your Personal Information is Exposed on the Dark Web or Sold by Data Brokers
Please enter first name
Please enter last name
Please select a state
Free Identity Threat Scan
Instantly Check if Your Personal Information is Exposed
All fields below are required
Please enter first name
Please enter last name
Please enter a city
Please select a state
Please enter an age
Please enter an email address