What is Whale Phishing

Whaling or whale phishing attacks are a type of social engineering attack directed against specific wealthy individuals. The term whale phishing implies victims belong to strategic positions, usually economically.

This is the main difference between whaling or whale phishing attacks and other types of phishing attacks, usually launched massively.

Whale phishing or whaling is a type of digital fraud through social engineering which encourages victims to take a specific action, such as delivering funds to an attacker’s account. Whale phishing attacks are growing popular among scammers.

Characteristics of Whale Phishing

  • The attack contains custom content specifically designed for the victim. It may also include accurate information on the victim or the organization he belongs to.
  • Comprehensive knowledge of the industry, business or procedures, employee names, etc.
  • The victim has a high profile or is wealthy. This is the difference between whaling or whale phishing and spear phishing.
  • The content has a sense of urgency.

Those aspects make whale phishing attacks more sophisticated than conventional phishing attacks, massive and brutal. However, the attack success doesn’t depend on IT or hacking knowledge. Although technological knowledge may be a key to collect information, the attack is based on social engineering: The ability to collect valuable information to produce credible content encouraging the victim to trust. The key to the attack is the previous intelligence.

The term whale phishing refers to the magnitude of the attack and to the expression big fish to describe certain influential individuals.

Whale Phishing Victim Profile

The main victims’ profiles include financial institutions and monetary service firms. Technological companies are also targeted by this kind of attack, including Google and Facebook.

Victims are convinced to take a specific action such as:

  • Transferring funds or forwarding a forged message.
  • Downloading or sharing a malicious code.
  • Sharing valuable information for a future attack.

A notable example of this type of attack happened to Snapchat. An executive got an email from the new CEO requesting information on his department. After a while, the same executive was instructed by the CEO to transfer funds in the amount of US$3,000.000. The CEO was impersonated, and the instruction wasn’t genuine.

Another example includes giants like Google and Facebook, victims of a phishing attack directed against tech companies for US$100,000,000.

The attacker pretended to be a Quanta Computer Inc. executive. In this fraud, the attacker opened a bank account in the same institution Quanta Computer Inc. used for transactions with the victims.

In some cases, victims are unlikely to inform authorities because of the damage to the organization’s reputation.

In 2018, Forbes reported this modality caused over $12 billion in losses. Today, digital attacks are more frequent.

Authorities like the FBI warned about this threat and announced the development of digital defense against phishing attacks, including whale and spear phishing directed against specific individuals.

How Whale Phishing Attacks are Executed

Previous to the interaction with the victim, the attack starts with intelligence tasks to gather information on the victim or the organization the victim belongs to.

The attacker aims to learn the necessary information on the victim, employee names, financial data, or information on the targeted company procedures and management.

Whale phishing or whaling fraud usually is made via mail, phone, or even social networks. Among social networks, it is essential to highlight professional networks like LinkedIn, through which it is pretty easy to interact with high organization profiles.

Usually, the attacker pretends to be someone by stealing an identity. In case of email attacks, the most common practice is to use a similar email address to the one whom the attacker impersonates, for example, by using a domain .co instead of a .com. Victims can easily detect those attacks if they are aware of the techniques used.

How to Get Protected from Whale Phishing or Whaling Attacks

Companies and organizations can take measures to prevent vulnerability before whale phishing attacks such as:

  • To keep a correct permissions structure. This may prevent successful attacks from spreading within the organization.
  • To educate employees or organization members about phishing attack types.
  • Provide additional security for mailing and devices. Software code and network traffic quality must be supervised.

It is important to highlight the main targeted vulnerability in this type of attack is the human factor and not the devices. Thus, the best defense is to train organization members to identify this threat. Preventive training is an economical procedure that the organization’s IT department can implement. Optionally, almost all IT security service providers have developed software and training programs against phishing.

Proper permissions structure is also another way to deal with human vulnerability. A well-designed permissions structure will prevent the damage from spreading to the rest of the organization.

Implementing management protocols preventing company executives from making arbitrary or unsupervised decisions on organization resources is also a key. There is available software in the market that incorporates security policies and artificial intelligence to prevent improper behavior. Some countries even acquired this technology to fight corruption.

Conventional security measures must not be ignored, not only at the permissions level. Code, heuristic, and network traffic analysis must always be present. A whale phishing attack may start to escalate to a more extensive digital attack.


While this type of attack represents a high-risk translated into billion dollars, prevention is easy and cheap to apply.

Employees’ education, a well-designed permissions structure, and security protocols are easy to implement and report invaluable benefits for the organization’s security.

Whaling attacks’ sophistication results from security innovations, such as a two-step-verification, preventing conventional phishing attacks. Some organizations also implement identification systems to verify communication and procedures’ legitimacy.

On the individual level, users must always enable the two-step verification and verify senders’ or callers’ legitimacy, especially if they are asked to do a specific action.

All security measures to prevent whale phishing attacks increase security before other threat types. This kind of attack is often confused with spear phishing, directed at specific individuals but with lower profiles. In both cases, the attack escalation potential may be prevented.

I hope this article about whale phishing was useful.

Keep following Linux Hint for more Linux tips and tutorials.

About the author

Ivan Vanney

Ivan Vanney has over 2 years as writer for LinuxHint, he is co-founder of the freelance services marketplace where he works as a sysadmin.