Varonis announces strategic partnership with Microsoft to accelerate the secure adoption of Copilot.

Learn more

What is a Whaling Attack?

A whaling attack specifically targets senior management in an organization such as the CEO, CFO, or other executives, hoping to leverage their authority to gain access to sensitive data. Discover everything you need to know about this attack including tips for avoiding one with our guide.
Michael Buckbee
3 min read
Published March 29, 2020
Last updated October 12, 2022

A whaling attack is essentially a spear-phishing attack but the targets are bigger – hence whale phishing. Where spear-phishing attacks may target any individual, whaling attacks are more specific in what type of person they target: focusing on one specific high level executive or influencer vs a broader group of potential victims.

Cybercriminals use whaling attacks to impersonate senior management in an organization, such as the CEO, CFO, or other executives, hoping to leverage their authority to gain access to sensitive data or money. They use the intelligence they find on the internet (and often social media) to trick employees – or another whale – into replying with financial or personal data.

Get the Free Pentesting Active
Directory Environments e-book

These attackers want to use the authority and influence of the whale to convince people not to look at or question the fraudulent request. When employees don’t look too hard at the email address or websites and just follow directions, cybercriminals can make out like bandits.

Whaling attack statistics

The FBI reported that companies lost nearly $215 million in 2014 as a result of phishing attacks. In 2016, the Verizon DBIR reported 61 phishing attacks targeting finance teams. That number rose to 170 in 2017 – nearly a 200% increase!

whaling attack statistic

How do whaling attacks work and why are they successful?

Whaling attacks demand more research and planning than standard phishing and spear-phishing attacks. To impersonate a high-value target, they need to take the time to figure out the best way to sound like their target, find a way to approach their target, and figure out what kind of information they can get from the victims.

Cybercriminals look at social media and public company information to establish a profile and plan of attack. They can also use malware and rootkits to infiltrate the network: an email that comes from the CEO’s account is much more effective than a spoofed email account. And when these emails include details to make the attacks seem like they’re coming from trusted entities? Even better.

Emails are by far the most effective phishing (including whaling) method: 98% of all phishing attacks use email. In the past, phishing emails focused on including links or attachments with malware; more recently, successful whaling attacks have made a single request that seems plausible to the target.

Whaling attack examples

In 2016, an employee at Snapchat disclosed all of the company’s payroll data to a scammer – the employee had responded to an email that looked to be from the CEO and responded promptly. HR and payroll teams are frequent targets of whaling attacks because they have access to sensitive personal data.

In another whaling attack, an employee at a commodities firm wired $17.2 million in several installments to a bank in China, as requested by what looked to be emails from the CEO. The company was planning to expand their business into China at the time, so the request seemed plausible enough.

In both of those incidents, the victim failed to identify the whaling attack or ask questions to validate the request. It’s critical to train executives and staff to be vigilant and on alert for any phishing scams.

Tips for avoiding a whaling attack

Avoiding a whaling attack uses the same tactics as avoiding a standard phishing attack. The only difference is the high value of the target.

5 tips for avoiding a whaling attack in list form

  • Educate employees about whaling attacks and how to identify phishing emails.
    • Train employees and executives to think with a security mindset and ask questions.
    • Check reply-to email address and validate that it’s legitimate.
    • Call to confirm unusual or urgent requests.
  • Flag all emails that come from outside of the organization – this helps highlight potential scam emails.
  • Discuss use of social media with the executive team as it relates to whale phishing.
    • Social media is a goldmine of information cybercriminals can use in their whale phishing scams.
    • Security experts recommend that members of the executive teams enable privacy restrictions on their personal social media accounts to reduce exposure of information that can be used in a social engineering scam.
  • Establish a multi-step verification process for internal and external requests for sensitive data or wire transfers.
  • Exercise data protection and data security policies: Monitor file and email activity to track and alert on suspicious behavior, and implement layered security to protect your company against whale – and any kind – of phishing.

Want to learn more? Find out how Varonis can help you prevent and defend against whaling attacks – and protect your data and your money from being stolen.

What you should do now

Below are three ways we can help you begin your journey to reducing data risk at your company:

  1. Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
  2. Download our free report and learn the risks associated with SaaS data exposure.
  3. Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Reddit, or Facebook.

Try Varonis free.

Get a detailed data risk report based on your company’s data.
Deploys in minutes.

Keep reading

Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

what-is-a-brute-force-attack?
What is a Brute Force Attack?
A brute force attack (also known as brute force cracking) is the cyberattack equivalent of trying every key on your key ring, and eventually finding the right one. The most basic brute force attack is a dictionary attack, where the attacker works through a dictionary of possible passwords and tries them all.
what-is-a-ddos-attack?-identifying-denial-of-service-attacks
What is a DDoS Attack? Identifying Denial-of-Service Attacks
Distributed Denial-of-service (DDoS) attacks are disruptive and costly. Learn more about DDoS attacks and how you can better protect your network.
what-is-dns,-how-it-works-+-vulnerabilities
What is DNS, How it Works + Vulnerabilities
What is DNS? It’s the address book of the internet. Read on to understand DNS, learn how you are vulnerable to attack through DNS, and how to protect your networks from DNS attacks.
what-is-a-man-in-the-middle-attack:-detection-and-prevention-tips
What is a Man-in-the-Middle Attack: Detection and Prevention Tips
Man-in-the-middle attacks are sophisticated spying techniques attackers use to snoop on network traffic. Read on to learn more about these MitM attacks.