Try for Free
Demo Centre

Emma Woods

What Is A Whaling Phishing Attack?

Unlike your traditional spray-and-pray phishing attack, a 'whaling' scam gives a cyber criminal a much higher success rate - and here's why.

Whale tail coming out the sea

We're all (hopefully) getting a lot smarter when it comes to responding to emails these days. With constant reminders on new types of scams, it seems as though falling for a templated phishing attack is a thing of the past.

The sad truth is, hackers are always one step ahead of the game. Now, more and more businesses are being introduced to a more targeted type of phish - the whaling attack.


White phone, white keyboard, grey mousepad and black pen


Whaling hugely differs from your traditional of phishing attacks. Here, cyber criminals will do their research on potential victims that they wish to impersonate or attack, often using social media or company websites to bolster their chamber of ammunition.

They'll even go as far as copying their victim's email signatures and style of writing, leaving no stone unturned. Pretty concerning, right? Don't worry, in this blog we'll discuss what you can do to protect you and your business from these types of ultra targeted attacks. 

" Phishing is not limited to email and website pop-ups. Links in online ads, status updates, tweets and Facebook posts can lead you to criminal portals designed to steal your financial information."   


What Actually is a Whaling Attack?

Whaling specifically targets senior management, such as CEOs and CFOs. This preference of targeting the bigger fish of an organisation is exactly where the term 'whaling' comes from.

"Whales" are carefully chosen because of their authority and access within the company, with the more access you have to valuable data, the more chance you have of becoming a target.

Cyber criminals will use fraudulent emails that appear to be from trusted sources to try and trick you into imparting sensitive data via email or a fake website that appears to be legitimate. They will usually try to get at sensitive information such as your bank details. Be very wary of the emails that appear in your inbox, as attackers are known to use actual corporate logos, phone numbers and other details to make their emails appear trustworthy. Knowing how to spot phishing emails is very difficult unless you know what to look out for.

What does a whaling attack look like?

Now we've discussed what a whaling attack is it's time to show you what one looks like in the wild. Whaling attacks can be quite difficult to spot because of how personalised they are, but usually follow a general trend.

From the example of a whaling email below here is what you need to look out for:

  • Is the domain name correct

  • Is the email out of the blue

  • Is there a sense of urgency

  • Are you being asked to give away financial or sensitive information

  • Have only your received the email


Screenshot of a whaling email

It's not just your employees that need security awareness training

CEOs and directors are very busy people, but that is no excuse for them to sit out of security awareness training - everyone in your business is a target. Executives and department heads hold the most valuable data to a company, so they will be a cyber criminal's most prized target.

Taking part in security awareness training improves the awareness around the many forms of cyber attacks that could potentially destroy your business. You can also locate your knowledge gaps with every individual, this allows you to see which employees need more training on specific topics. Choosing a good security awareness training platform is key. 

Phish your employees

It's not only the less technical or lower level employees that are falling for phishing scams, these attacks are reaching their way up the ladder - right through to the C-suite.

Security awareness training not only increases the awareness around phishing but exposes your employees biggest weaknesses, after finding out your employees weaknesses the training will be tailored to each employee and their weaknesses to improve their knowledge on any topics they struggle with. As well as phishing your employees you can also monitor their progress and Jupiter review which employees opened, clicked and ignored the simulated phishing email.

What next?

Whaling phishing is just one of the many forms of a cyber attack criminals are using. In today's digital workplace, it is key to make sure you and your employees understand what types of cyber attack are out there and how to spot them.

Implementing the right security is a must - something as simple as backing up devices and updating software is something so simple yet so effective. Another tool that is worth looking at is 2-factor-authentication. It's very simple to set up and could potentially save your data from being accessed or stolen. Dictionary analysis is another wonderful form of security, it monitors for certain words within emails, for example, the words associated with whaling like "pay the invoice" and "tax details" - and will then alert you if these keywords are spotted. 

Read more: Your Complete Guide to Phishing

Phishing Awareness Kit

Read next