Varonis debuts trailblazing features for securing Salesforce. Learn More

Varonis named a Leader in The Forrester Wave™: Data Security Platforms, Q1 2023

Read the report

What is a Whaling Attack?

3 min read
Published March 29, 2020
Last updated October 12, 2022

A whaling attack is essentially a spear-phishing attack but the targets are bigger – hence whale phishing. Where spear-phishing attacks may target any individual, whaling attacks are more specific in what type of person they target: focusing on one specific high level executive or influencer vs a broader group of potential victims.

Cybercriminals use whaling attacks to impersonate senior management in an organization, such as the CEO, CFO, or other executives, hoping to leverage their authority to gain access to sensitive data or money. They use the intelligence they find on the internet (and often social media) to trick employees – or another whale – into replying with financial or personal data.

Get the Free Pentesting Active
Directory Environments e-book

These attackers want to use the authority and influence of the whale to convince people not to look at or question the fraudulent request. When employees don’t look too hard at the email address or websites and just follow directions, cybercriminals can make out like bandits.

Whaling attack statistics

The FBI reported that companies lost nearly $215 million in 2014 as a result of phishing attacks. In 2016, the Verizon DBIR reported 61 phishing attacks targeting finance teams. That number rose to 170 in 2017 – nearly a 200% increase!

whaling attack statistic

How do whaling attacks work and why are they successful?

Whaling attacks demand more research and planning than standard phishing and spear-phishing attacks. To impersonate a high-value target, they need to take the time to figure out the best way to sound like their target, find a way to approach their target, and figure out what kind of information they can get from the victims.

Cybercriminals look at social media and public company information to establish a profile and plan of attack. They can also use malware and rootkits to infiltrate the network: an email that comes from the CEO’s account is much more effective than a spoofed email account. And when these emails include details to make the attacks seem like they’re coming from trusted entities? Even better.

Emails are by far the most effective phishing (including whaling) method: 98% of all phishing attacks use email. In the past, phishing emails focused on including links or attachments with malware; more recently, successful whaling attacks have made a single request that seems plausible to the target.

Whaling attack examples

In 2016, an employee at Snapchat disclosed all of the company’s payroll data to a scammer – the employee had responded to an email that looked to be from the CEO and responded promptly. HR and payroll teams are frequent targets of whaling attacks because they have access to sensitive personal data.

In another whaling attack, an employee at a commodities firm wired $17.2 million in several installments to a bank in China, as requested by what looked to be emails from the CEO. The company was planning to expand their business into China at the time, so the request seemed plausible enough.

In both of those incidents, the victim failed to identify the whaling attack or ask questions to validate the request. It’s critical to train executives and staff to be vigilant and on alert for any phishing scams.

Tips for avoiding a whaling attack

Avoiding a whaling attack uses the same tactics as avoiding a standard phishing attack. The only difference is the high value of the target.

5 tips for avoiding a whaling attack in list form

  • Educate employees about whaling attacks and how to identify phishing emails.
    • Train employees and executives to think with a security mindset and ask questions.
    • Check reply-to email address and validate that it’s legitimate.
    • Call to confirm unusual or urgent requests.
  • Flag all emails that come from outside of the organization – this helps highlight potential scam emails.
  • Discuss use of social media with the executive team as it relates to whale phishing.
    • Social media is a goldmine of information cybercriminals can use in their whale phishing scams.
    • Security experts recommend that members of the executive teams enable privacy restrictions on their personal social media accounts to reduce exposure of information that can be used in a social engineering scam.
  • Establish a multi-step verification process for internal and external requests for sensitive data or wire transfers.
  • Exercise data protection and data security policies: Monitor file and email activity to track and alert on suspicious behavior, and implement layered security to protect your company against whale – and any kind – of phishing.

Want to learn more? Find out how Varonis can help you prevent and defend against whaling attacks – and protect your data and your money from being stolen.

What you should do now

Below are three ways we can help you begin your journey to reducing data risk at your company:

  1. Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
  2. Download our free report and learn the risks associated with SaaS data exposure.
  3. Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Reddit, or Facebook.
Try Varonis free.
Get a detailed data risk report based on your company’s data.
Deploys in minutes.
Keep reading
speed-data: why-cybersecurity-is-an-unceasing-progression-with-siwar-el-assad
Speed Data: Why Cybersecurity is an Unceasing Progression With Siwar El Assad
Siwar El Assad chats about the impact of cybersecurity on modern society, the reality of breaches, and how a chance encounter led Siwar to the industry.
dspm-deep-dive:-debunking-data-security-myths
DSPM Deep Dive: Debunking Data Security Myths
DSPM is the leading acronym in cybersecurity. However, the recent buzz has cluttered the meaning of data security posture management. Let's demystify it.
speed-data:-rethinking-traditional-cybersecurity-principles-with-rick-howard
Speed Data: Rethinking Traditional Cybersecurity Principles With Rick Howard
Rick Howard, author, journalist, and Senior Fellow at the CyberWire, chats about his new book on rebooting cybersecurity principles with Varonis' Megan Garza.
the-benefits-of-threat-and-data-breach-reports
The Benefits of Threat and Data Breach Reports
Threat and data breach reports can help organizations manage security risks and develop mitigation strategies. Learn our three pillars of effective data protection and the benefits from these reports.