What is Whaling?

Whaling is a type of highly-targeted phishing attack where the intended target is a high-profile, high-authority individual with privileged access to significant financial resources, sensitive data, or a secured network.

As with phishing attacks, whaling combines fraudulent and deceptive communications with social engineering techniques to manipulate the victim into taking harmful actions, such as disclosing sensitive data, or granting digital adversaries illicit access to business funds or secure business networks.

Whaling vs. Phishing vs. Spear Phishing - What’s the Difference?

Phishing, Spear phishing, and Whaling represent three different targeting strategies for the same types of Cyber Attacks.

Generic phishing attacks are akin to a fisherman "casting a wide net" into the ocean. These attacks are poorly targeted, often aimed at no-one specific, but scammers compensate by sending a high volume of messages. 

Spear phishing works just like regular phishing, but with one key difference: target selection. Instead of sending a generic phishing message en masse, a digital adversary targets a specific individual, government department, or enterprise organization. Targeted spear phishing attacks use highly customized messaging to amplify deception and increase the probability of a successful attack.

Whaling is a special type of Spear phishing where digital adversaries target high-powered individuals who:

  • Have the authority to authorize or direct large financial transactions,
  • Have administrative access to a network containing high-value data, or,
  • Have direct access to financial resources that the attacker can steal by impersonating the target or taking over their accounts.

How Do Whaling Attacks Work?

  • Choosing a High Value Target: The first step in any whaling attack is to select a high-value target. Typical targets for whaling attacks include corporate executives, owners of SMBs, celebrities, and high-ranking government officials.
  • Planning a Sophisticated Attack: Due to the potentially high payoff associated with successful a Whaling Attack, digital adversaries invest more time and resources in carefully planning whaling attacks to maximize the likelihood of success.
    Whaling, like phishing, always involves fraudulent communications - but a sophisticated whaling attack might involve impersonating several of the target's contacts across multiple communication channels to effectively manipulate the target. Timing the attack, crafting the perfect lure messages, and optimizing follow-up actions are all considered.
  • Building Attack Infrastructure: Before launching a Whaling Attack, digital adversaries must develop and deploy any digital infrastructure needed to support the Attack.
    This can include fake social media accounts or spoofed email addresses to communicate with the target, as well as fraudulent web domains, mobile apps, or malware that infect the target's device or steal their credentials.
  • Launching the Attack: Once the Attack is planned and the timing is perfect, cyber criminals launch their whaling attack by sending fraudulent communications to the target.
  • Stealing Money or Data: The outcome of a successful Whaling Attack depends on the specific goals of the attackers. Attackers might hijack the target's business email and use it to order fraudulent transactions, or they might infect the target's machine with malware in hopes of exhilarating sensitive data.

          Whaling and Other Types of Cyber Attacks

          Whaling is a targeting strategy for fraudulent message attacks, but the precise tactics, techniques, and procedures used in the attack remain highly variable. 

          As part of a Whaling Attack, cyber criminals might try to:

          • Send a malicious link that infects the target's machine with malware or spyware,
          • Attempt an account takeover attack against the target's email account to impersonate the target, or
          • Impersonate the target's employees or colleagues with a business email compromise (BEC) attack or email spoofing.

          Whaling attacks vary in their exact methods of attack, but they always involve sending fraudulent messages to a high-authority target.

          3 Whaling Examples You Should Know

          FACC Whaling Attack

          In late 2015, a cyber criminal impersonated the CEO of Austrian aerospace manufacturing company FACC and directed its finance team to make $56 million in fraudulent payments. The scheme succeeded in part because the scammers crafted a convincing email which imitate the CEO's writing style.

          Levitas Capital BEC Attack

          In 2020, cyber criminals targeted a founder of Australian hedge fund Levitas Capital with a fake Zoom link that, once clicked, infected the target's machine with malware that gave attackers control of the Levitas Capital email system.

          Then, by impersonating Levitas Capital executives via email, the attackers were able to request and authorize millions of dollars in fraudulent transactions

          Ultimately, the cyber criminals stole $8.7 million and the hedge fund lost its biggest client and ceased operations.

          Seagate Data Theft Attack

          In March 2016, cyber criminals impersonated the CEO of American chip manufacturer Seagate using a spoofed email and manipulated a member of the organization's HR staff into disclosing W-2 forms and PII pertaining to all employees - about 10,000 records. The data was used to file fraudulent U.S. tax returns.

          The disclosure resulted in Seagate employees suing the company for compensation.

          What are the Consequences of a Whaling Attack?

          Data Breach

          As in the Seagate case, a successful Whaling Attack often results in the exposure of sensitive personal data. This can lead to high remediation costs in the form of regulatory penalties and litigation costs.

          Financial Losses

          Both FACC and Levitas Capital lost millions of dollars when they fell victim to whaling attacks. The potential to steal millions of dollars by exploiting the authority of high-powered executives keeps cyber criminals investing time and resources in whaling attacks.

          Reputational Damage

          A successful whaling almost always results in severe reputational damage for the individual or business targeted. 

          That's exactly what happened in the three examples we shared above: the CEO of FACC was fired, Levitas Capital lost its biggest client and shut down, and Seagate was sued by its own employees.

          Protect Your Organization against Whaling Attacks with ZeroFox

          ZeroFox provides digital risk protection, threat intelligence, and adversary disruption to protect organizations and their executives against Whaling Attacks.

          The AI-powered ZeroFox platform monitors your organization's public attack surface to identify and dismantle complex, cross-channel whaling attacks before they can successfully target your employees or executives.
          Read our free report Anatomy and Trends of the Evolved Phishing Ecosystem to learn more about targeted phishing attacks and how to prevent them.