Ready to Start Your Career?

Phishing: How CEOs are Targeted through Whaling

Shimon Brathwaite's profile image

By: Shimon Brathwaite

December 17, 2021

Phishing is one of the most common and most effective type of social engineering attack. Social engineering attacks focus on manipulating users into performing malicious actions. This is usually done over email, but it can also be through text or phone calls where someone pretends to be a legitimate entity to gain trust. It can cause a lot of damage for businesses; as of 2021, the average cost of phishing attacks has grown to about 14.8 million dollars for US companies. However, not all phishing scams are created equal; some have much more preparation and, as a result, are a lot more effective in deceiving people. This article will focus on a particular type of phishing attack known as whaling.

What is whaling?

To understand whaling, we first need to understand what spear-phishing is. Whaling is a type of spear-phishing attack that focuses on high-profile targets within a company, such as the c-suite employees. In addition, its attack is specifically tailored to an individual rather than creating a generic phishing email and sending it to a list of targets. The fraud will include the person's exact name, address, name of their known associates/family members, and other details that will make the phishing attack much more believable.

Why is whaling so effective?

What makes whaling so compelling is the deep research into creating a persuasive email. Hackers leverage social media and public company information to identify key people and gather information on those people. Let's look at LinkedIn as an example; you can find someone's job title, work experience, affiliations, and potential interests. They then use this information to create a message that looks pretty legitimate. However, if the email is successful, they can get malware on that user's computer that will give them access to their corporate accounts. This situation will give the hacker a lot of power to manipulate things in the business for their benefit. Anyone will obey an email from your CEO most times without question.

Whaling Attack Examples

A real example of a whaling attack was Snapchat in 2016. An employee at Snapchat disclosed all of the company payroll information to a scammer because he had responded to an email that appeared to come from the company's CEO.

Another example is Omaha schoular Co, a commodities company. An employee was cheated into wiring hackers $17.2 million because he responded to what looked like an email from their CEO. When the company was planning on expanding their business into China, that combined with the phishing email was enough to convince him to wire the money.

How to prevent whaling

tips for avoiding whaling

Source @ varonis

Security awareness training: One of the best defenses against whaling or another type of phishing attack is good security awareness training. Your C-suite employees need to understand that they will be targeted, and they need to be able to recognize when someone is trying to trick them into doing something that can negatively affect the company. It would help if you also planned to do phishing simulations without their knowledge and see how well they can recognize these emails. This will give you a good indication of how likely they are to be tricked by the real thing.

Scan emails from outside the company: The most significant threat you will have associated with phishing is emails from outside your company. You should invest in software that will scan these emails for the text that matches known phishing emails, check the attachments for malware, and review any links to see if they are pointing to a malicious website. The controls will filter out many emails targeted at your executives and, therefore, limit the chance that they will even see one of these emails.

Discuss social media with your team: Social media is one of the primary sources of information for hackers to craft good phishing emails. Your team needs to understand that they should be mindful of what they make private because that information can trick them later on. Also, if they know what information is public, they are less likely to trust an email that contains that information because they know it is general knowledge.

Use multi-step verification for sensitive requests: You should have multi-step verification for any sensitive information or money transfer requests. This way, even if the attacker successfully deceives the employee, you can identify it later in the verification process.

Data Protection and Data security policies: This is an excellent overall practice, but you should have data protection measures that will make it difficult for a hacker to trick someone into sending data outside the company. For example, good DLP software will usually flag certain types of documents from being sent outside the company, which can be very useful in these situations.

Enable two-factor authentication: Where possible, you should enable two-factor authentication on company accounts. This way, if someone is tricked into giving up their login credentials, the hacker won't have all the information they need to log in. It adds an extra layer of security to your C-suite executive's accounts.


Whaling is a type of spear-phishing attack that targets high-profile employees in the company. In this attack, hackers gather information from social media and other public information sources to craft persuasive messages that are likely to trick the person into performing an action that will harm the company. The best defense against this is to take a multi-layered approach:

  1. You want to educate your employees through security awareness training and the potential dangers of posting personal information on social media.

  2. You should invest in a software solution for scanning emails from outside the company to prevent these attacks from ever reaching your employees.

  3. It would be best to have good data protection policies and multi-step verification for logins and any data requests involving sensitive data.

Schedule Demo