search Where Thought Leaders go for Growth

Whaling, or when hackers target the big fish

Whaling, or when hackers target the big fish

By Ainhoa Carpio-Talleux

Published: 30 April 2025

Cyber security risks can be found at every level of the company. Whaling is a type of attack that specifically targets key members of the organisation. That's precisely what makes this technique so dangerous.

What does it actually involve? How can you protect yourself? Find out how to protect your company's big fish with our comprehensive guide to whaling.

What is whaling?

Definition of whaling

Whaling is a form of social engineering cyber attack that falls into the category of phishing. The specificity of this type of threat is that it targets a clearly identified group of individuals: whales.

The term "whale" refers to a decision-maker, a member of a company's management, or any individual with responsibilities within an organisation.

These targets are more vulnerable than you might think. First of all, they are not used to this type of threat, unlike employees at a lower level of the company who face it on a daily basis.

The other point of vulnerability concerns the nature of the message, which is much more personalised than traditional phishing.

Finally, the information and data recovered by the hacker will be more sensitive, as the victim has more restricted access than other members of the company.

Warning signs of a whaling attack

To help you recognise a whaling attack, here are its main characteristics:

  • An email that appears to come from a senior manager.
  • A message with urgent content.
  • A request that is outside the company's processes.
  • An inability to contact the sender (meeting, unavailability, etc.).
  • A request for a transfer to an unknown account.

Whaling, phishing, spear phishing: what are the differences?

Phishing is a fraudulent technique designed to deceive a member of an organisation by pretending to be a trusted third party. The aim is to obtain valuable data (access accounts, passwords, etc.) and/or bank details.

Classic phishing is carried out via general messages that imitate documents from banking institutions, the government or a delivery service. They are generally sent en masse to multiple recipients.

Spear phishing is a more targeted category of phishing. It involves usurping the identity of a contact (colleague, business partner) to obtain the personal information of a particular individual. The message is generally personalised and therefore more difficult to detect.

Whaling is another sub-category similar to phishing, but which targets the "big fish" in the company. It requires much more preparation on the part of the hacker.

How does whaling work? 4 stages

Identifying and gathering information

The first stage in a whaling attack is to gather information about the target. To do this, the attacker first focuses on public sources such as the company's website, which generally presents the company's complete organisation chart. He also relies on confidential reports available online (but with unrestricted access) and databases available on the dark net.

Creating a strategy

Based on the summary of the information gathered, he then draws up an attack strategy.

☝️Prenons gives an example to help you understand.

By consulting the target company's website, the cybercriminal identifies that the CEO is very active on LinkedIn. He shares his conferences, international speeches, partnerships and so on. At the same time, the cybercriminal exploited an activity report where he discovered the name of the company's financial director, who managed transfers for international contracts.

While the CEO was on a trip to Germany, the cybercriminal sent an urgent message to the CFO, imitating his style and incorporating real, verifiable elements.

He asks for a payment to be made into a different account on the pretext of an emergency during his trip.

It's a simple strategy that could prove highly profitable for the hacker.

Crafting the message

The central point in a whaling strategy is the creation of the message, i.e. the e-mail address, the subject, the tone and the linked document. Here's how each part must be meticulously created:

  • Spoofing the email address: the hacker slightly modifies the CEO's real email address so that the modification is as unobtrusive as possible (adding a hyphen, a ".", etc.).
  • Choice of subject: the subject of the email should be credible, simple and direct. For example, "Invoice awaiting payment". It can also include an idea of urgency ("Invoice awaiting payment - Urgent").
  • A professional tone: the hacker should adopt a level of language that corresponds to that of the CEO in his usual messages. It can include real, concrete elements, as well as the jargon typical of this type of exchange between employees.
  • An urgent request: the urgency does not have to be explicit to avoid arousing suspicion. However, it must be sufficient to ensure that the request is carried out within a relatively short timeframe (a few days).
  • Falsified invoice: in the case of a transfer of funds, the message must include an invoice that uses exactly the same format as previous invoices (logo, references, etc.). Only the bank details will be changed.

Manipulation (why does it work?)

Whaling attacks, and phishing attacks in general, work because of the human factor. The attacker plays on trust by using an appropriate tone and vocabulary. Admittedly, the request may be unusual, but it remains consistent. The fact that it generally comes from a superior adds a dimension of stress that increases the victim's confusion and lulls them into complacency.

A few days after the first e-mail, if no response has been received, the cybercriminal will send a polite and professional reminder asking, for example, whether the invoice has been received.

Psychologically, this is a decisive factor, because this second message makes the exchange part of a normal, routine process: a simple task for the victim to carry out. It is precisely this aspect that makes whaling so dangerous.

Examples of whaling attacks

The first step in protecting yourself against a threat is to be aware of it. Whaling can absolutely affect any business, any organisation that doesn't take sufficient precautions to guard against it.

💡 Not convinced? Here are several examples of successful companies, leaders in their sector, that have suffered whaling attacks and lost millions of euros:

  • FACC, an Austrian manufacturer of aerospace parts, was targeted in 2016. The company's finance department sent $47 million to cybercriminals.
  • That same year, a member of Snapchat's payroll team sent the banking information of the company's employees to a hacker posing as CEO Evan Spiegel.
  • Between 2013 and 2015, Facebook sent over $100 million to a hacker who posed as one of their former suppliers.

Why is whaling on the rise?

Phishing is the most common type of online attack. There has been a 131% increase in whaling cases in recent years, which is linked to a number of factors.

The main reason for this increase is the increasing digitalisation of the professional world and the rise of teleworking. In this context, where teams no longer communicate directly in the workplace, but only by e-mail, the risks are multiplied. To save time, security protocols are ignored, which tends to reduce vigilance in proven cases of identity theft.

The other factor in the spread of phishing and whaling is the introduction of AI tools into the manipulation strategy. Searching for information, analysing documents, reproducing a writing style... AI enables hackers to optimise their processes. Some AIs are even capable of generating ultra-realistic videos, with cloned faces and voices. All the hackers have to do is simulate a video call from the hierarchical superior to request a transfer of funds or validate a sensitive operation.

The final element that explains the 'success' of whaling is, of course, its profit potential. Whereas mass phishing can only yield a few hundred euros per victim, whaling can earn millions in a single operation.

How to protect yourself against whaling: our 5 cybersecurity tips

Train all managers and employees

The first line of defence against cyberthreats is human. Vigilance is the key to avoiding many risks, especially when it comes to social engineering attacks. All employees should be made aware of classic phishing and spear phishing techniques. However, managers and executives in particular need to be trained in the risks of whaling. It is essential to involve them in concrete cases of whaling and to organise simulated attacks. By being directly confronted with a threat, they will become truly aware of the risks to which they are exposing themselves.

Controlling your digital footprint and protecting your data

To establish an effective whaling strategy, hackers need information and documents to exploit. To make their task more complex, control the data you publish on social networks and on the company website.

In addition, make senior managers aware of the dangers of sharing too much professional and personal information on their networks.

To do this, put in place a clear data disclosure policy so that everyone in your organisation knows what they can and cannot share.

With this approach, whaling emails will be much easier to recognise, as they will no longer contain valid information.

Establish strict verification protocols

A whaling attack is always carried out outside a company's usual procedures.

This is why it is essential to establish strict protocols (particularly for financial requests) and to respect them without exception.

For sensitive communications, setting up a password or secret code also adds an extra layer of security.

Never agree to modify your processes on the basis of a simple email or telephone message. This type of request must be official and validated, in person, by a line manager.

Strengthen your company's technical security

Digital technology is now everywhere, and cyber risks are multiplying. Companies that use the cloud and a complex ecosystem of applications can no longer afford to do without effective cyber security.

Whether it's to combat malware, ransomware or phishing, your company needs a complete arsenal of protection tools.

In concrete terms, to protect against whaling, the essential security features are :

  • A multi-factor authentication system for critical applications.
  • An advanced email filtering solution to detect spoofing attempts.
  • A tool to block risky domain names in real time.

Apply a "least privilege" policy

This type of policy is difficult to put in place within a company. However, it is the best way of preventing the spread of information that could end up on the dark web. Here are the broad guidelines for implementing this "least privilege" strategy:

  • Limit access to sensitive resources to those who really need them.
  • Segment information systems to limit propagation in the event of a compromise.
  • Regularly review access rights for high-privilege accounts.

7 tools to help you with your anti-whaling strategy

Altospam

Altospam has developed Mailsafe, software that protects your corporate mailboxes against phishing, and whaling in particular. It combines effective heuristic and behavioural analysis to detect emails with suspicious content. It incorporates AI functionality for even more impressive detection performance (- 0.01% false positives). Altospam offers optimum integration with essential email tools such as Gmail and Outlook.

Barracuda Email Protection

Barracuda Network offers a complete IT security solution. One of its modules is specially designed to address the risks of phishing and whaling: Barracuda Email Protection. The software is based on 3 features:

  • A complete detection mode (heuristic and behavioural).
  • A protection tool against identity theft.
  • A domain name validation system.

To take security to the next level, Barracuda offers "Impersonation Protection", an AI-based analysis model.

Anti-phishing Check Point

Check Point 's Harmony Email & Office technology protects your business against the most sophisticated phishing attacks. The software is able to block identity theft attempts before they reach your teams.

Check Point offers comprehensive protection for all your vulnerabilities: email, mobile devices and workstations.

Every message is analysed in depth using robust, high-performance AI technology that examines over 300 phishing threat indicators.

Protect (Mailinblack)

Protect from Mailinblack is an anti-phishing solution that filters out fraudulent emails with great efficiency. Its detection features are powered by deep learning technology trained on billions of emails a year. Your teams are protected from phishing, spearphishing, whaling, ransomware and spam.

Protect offers :

  • Real-time detection with behavioural and contextual analysis of emails.
  • An intelligent filtering system using artificial intelligence.
  • Full analysis of attachments and links in messages.

Mailinblack also offers a more advanced version of its software, Protect Advanced.

Phished

Phished, as its name suggests, is a company that specialises in phishing and whaling. What's special about this platform is that it focuses on training rather than technology to protect your computer system. Its slogan is as follows: "Build your human firewall".

The results of this approach speak for themselves. Currently, over 3,500 companies have implemented its defence strategies and have seen a significant drop in the rate of successful phishing attacks.

GravityZone Small Business Security (Bitdefender)

GravityZone Small Business Security is a cybersecurity solution specially designed to meet the needs of small and medium-sized businesses. Thanks to its easy-to-use interface, it does not require the intervention of an IT team. The software offers comprehensive protection against all cyber threats, with a focus on phishing. For this type of attack, GravityZone Small Business Security blocks access to phishing sites and displays clear warnings to users.

Cofense

Cofense is a protection solution that uses examples to raise awareness and train employees. Its flagship platform, Cofense PhishMe, offers realistic, personalised simulations of phishing attacks. The company also offers a platform for reporting phishing and whaling attempts to anticipate future phishing techniques.

Whaling in brief

Whaling is a threat not to be taken lightly. It is generally thought that senior management teams are less exposed to IT risks, because they are more vigilant for reasons of responsibility. But this is precisely what makes them so vulnerable to well-prepared whaling attacks.

A fraudulent email, followed by a follow-up message, then a phone call (or a deepfake video conference) can fool absolutely anyone. There are only three ways to protect yourself: training, vigilance and technical protection. Don't take the risk of exposing yourself, and strengthen your human and technological security arsenal as quickly as possible.

Article translated from French