Login Book a call
Search
Clear search icon

The biggest catch: What is whaling in cybersecurity?

Frankie
what is whaling in cybersecurity
Back to blog

Table of contents

Want to speak with sales?

Book a call

Whaling is a sophisticated form of cyberattack that targets high-profile executives and senior decision-makers within organisations – aka the “big fish”.

Unlike standard phishing attacks that cast a wide net, whaling attacks are meticulously crafted and highly personalised campaigns. They’re designed to deceive C-suite executives into authorising fraudulent transactions or revealing sensitive information – making them one of the most dangerous threats facing businesses.

How do whaling attacks work?

Whaling attacks typically begin weeks or even months before the victim receives the first malicious email. Cybercriminals gather information from various sources, studying their targets’:

  • Communication style
  • Business relationships
  • Operational schedules

This enables them to build a comprehensive picture of how the target operates.  

Armed with this knowledge, attackers craft seemingly authentic emails that appear to come from trusted sources. Think board members, legal counsel, or business partners.

Why do cybercriminals target the C-suite?

Hackers focus on executives because they are the highest value targets in any organisation. Senior leaders typically have:

  • Unrestricted access to financial systems
  • The authority to approve large transactions without extensive oversight
  • Intimate knowledge of business operations, strategic plans, and sensitive client information

Their busy schedules mean they're more likely to act quickly on urgent requests without following standard verification procedures.

What makes whaling attacks so dangerous?

When criminals successfully deceive an executive, the potential payoff is exponentially higher than targeting regular employees. Successful CFO or CEO fraud can result in hackers gaining access to highly sensitive business data and the theft of millions of pounds in fraudulent transfers.

What makes whaling dangerous?

  • Attackers extensively research and personalise their campaigns
  • Criminals exploit the authority and trust that senior positions command
  • Financial losses typically run much higher than standard phishing attempts
  • Their sophisticated nature makes them harder to detect

Whaling vs phishing vs spear phishing

While all three attack types fall under the social engineering umbrella, they differ significantly in scope and targeting.

Phishing

Phishing casts the widest net, sending generic malicious emails to thousands of recipients, hoping to land a catch. These attacks often contain obvious red flags like poor grammar or suspicious links.

Spear phishing

Spear phishing narrows the focus to specific individuals or groups within an organisation. In spear phishing attacks, hackers use publicly available information to create convincing messages tailored to the target.

Whaling

Whaling goes further still, exclusively targeting high-value executives with extensively researched, highly personalised attacks that can take weeks or months to prepare. Criminals invest this time because the potential payoff is enormous.

AI’s impact on whaling attacks

AI has made whaling and other social engineering attacks more sophisticated and accessible than ever before. Recent research claims cybercriminals use AI in 67.4% of all phishing attacks. The question is, how?

Content creation

AI allows hackers to create emails that perfectly mimic an executive's writing style, tone, and communication patterns. Gone are the days when you could spot a fake email by looking for typos or unusual phrasing.

Voice phishing

Voice phishing (or vishing) attacks surged 442% between the first and second halves of 2024. Cybercriminals use AI-generated voice clones that can replicate an executive's speech patterns from just a few seconds of audio.

Deepfake whaling attacks

A relatively recent trend has seen cybercriminals use AI to make sophisticated deepfake video calls. These attacks involve creating realistic avatars of executives that participate in live video conferences, making requests for fund transfers or sensitive information.

The technology has advanced to the point where deepfakes can convincingly replicate facial expressions, speech patterns, and mannerisms, making it extremely difficult for victims to detect.

7 Whaling prevention and mitigation strategies

Protecting your organisation against whaling attacks requires a multi-layered approach that combines technology, processes, and employee awareness.

1. Multi-factor authentication and access controls

Set up multi-factor authentication (MFA) for all senior executives and anyone with access to financial systems. Create separate administrative accounts and ensure that no single person can authorise high-value transactions without additional verification.

2. Verification protocols for financial requests

Establish mandatory dual-channel verification for any financial request over a certain threshold. If someone receives an email requesting a wire transfer, they must verify the request through a different communication method – ideally, an in-person conversation or phone call to a known number.

Create a “safe word” system for urgent requests, where executives and finance teams use predetermined phrases that criminals can’t easily discover through research.

3. Executive phishing awareness training

Run cybersecurity awareness training sessions that specifically address social engineering attacks. Training should include hands-on simulations using realistic scenarios that executives might encounter, such as urgent legal requests or time-sensitive acquisition communications, as well as:

  • How to identify social engineering tactics
  • The importance of verifying unusual requests through secondary channels
  • Staying alert to potential deepfake audio and video attacks

4. Email security and filtering

Deploy advanced email security that can detect sophisticated phishing attempts. For the best protection, consider investing in a system that uses AI to analyse communication patterns and flag unusual requests – even when they come from legitimate-looking accounts.

For added protection, implement domain-based message authentication, reporting, and conformance (DMARC) to prevent domain spoofing and ensure emails claiming to be from your organisation are legitimate.

5. Digital footprint management

Conduct regular audits of executives' online presence and limit the amount of publicly available personal and professional information. This includes:

  • Reviewing social media privacy settings
  • Limiting biographical information on company websites
  • Being cautious about sharing travel schedules or personal details publicly

6. Incident response planning

Develop incident response procedures for whaling and business email compromise (BEC) attacks, and test them regularly to ensure everyone knows what to do in the event of a breach. According to Verizon, over half of BEC victims were able to recover at least 82% of their stolen money when they reported fraudulent transfers quickly.

Your response plan should include immediate contact procedures for banks, law enforcement, and cybersecurity teams, along with clear escalation processes for different types of whaling attempts.

7. Zero-trust architecture

Implement a zero-trust security model that assumes every request could be malicious, regardless of its apparent source. This means verifying every transaction, access request, and communication before acting.

Consider using advanced threat detection that detects unusual patterns in executive communications and financial activities.

Whaling attack examples

Understanding how whaling attacks unfold in practice helps illustrate why these threats are so effective and costly.

The FACC aerospace attack

In 2015, Austrian aerospace manufacturer FACC fell victim to a whaling attack that resulted in €50 million in losses.

Criminals impersonated the company's CEO in an email to a finance employee requesting an urgent fund transfer for what appeared to be a confidential acquisition deal. The finance worker, believing the request came directly from the CEO and feeling pressure to act quickly on the sensitive matter, authorised the transfer without seeking additional verification.

The $25 million deepfake conference call

One of the most sophisticated whaling attacks on record occurred in 2024 when criminals used deepfake technology to orchestrate an elaborate video conference scam targeting Arup, a multinational engineering firm. 

The finance worker believed they were participating in a legitimate meeting with senior colleagues, including the CFO. During the call, hackers convinced the unfortunate employee to transfer $25 million out of the company.

US non-profit fraud scheme

In 2024, law enforcement arrested a Nigerian cybercriminal who’d targeted charitable organisations in the US, stealing over $7 million. 

The attacker first compromised email accounts at one charity, then used that access to study internal communications and procedures. Armed with insider knowledge, the criminal impersonated legitimate employees to request fund transfers from a second charity, making the requests appear routine.

What is whaling in cybersecurity? A threat you can’t ignore

What is whaling in cybersecurity? In a nutshell, it’s one of the most sophisticated and expensive cybersecurity threats facing businesses. With BEC attacks costing companies over $16.6 billion in 2024 and AI making these attacks more accessible, organisations can no longer treat executive targeting as an edge case.

Defending against whaling requires robust technical controls, clear verification processes, and ongoing awareness training. By implementing comprehensive security measures, like those outlined in the government-backed Cyber Essentials certification, you can ensure your organisation's executives don't become the next big catch.

Want to give your people the skills to recognise cyber threats before they turn into breaches? Check out CyberSmart Learn, our cybersecurity focused learning management system.