Social Engineering: What is Whaling?

Whaling is a form of phishing attack aimed at high-profile executives. By impersonating a highly-ranked professional, cybercriminals try to trick their victims into doing unfavourable actions. They usually try to get large wire transfers, sensitive information or insert malware with fraudulent links. With the latter two, the social engineering of whaling could have longer-term consequences with further attacks based on the data retrieved.

What is the difference between phishing and whaling?

They both use fake communications to trick their victims into taking favourable action for the cybercriminal. However, while phishing scams get sent massively, whaling targets specific individuals considered as ‘whales’ due to their high rank at a valuable organization.

How to identify whaling attacks

It can be hard to identify a whaling attack. Cybercriminals put a lot of efforts to elaborate these scams as the returns can be huge. They have tricked many highly-educated employees and caused substantial losses for their companies. To avoid this, organisations with sensitive information or a high monetary value should keep their employees informed about social engineering tactics.

How to recognize a whaling email

Whaling emails can display the following caracteristics :

  • Personalisation: the whaling email will most likely include personalised information about the impersonated individual, the victim, or the organisation to create a sense of familiarity.
  • Urgency: conveying urgency can get the victim to act before thinking of security practices. Attackers might also try to frighten victims using powerful personas that are difficult to disobey or with a threat to their reputation.
  • Language: business language and tone are most appropriate to convince the victim that the email got sent from a high-ranked person. The attackers often use a scenario of asking the victim to do a low-effort action (such as a quick money transfer to a supply partner) based on a fake threat. They may also emphasize confidentiality to avoid the victim getting notified of the scam by another person.
  • Legitimate signature: the attackers may use a believable email address, signature, and a link leading to a fraudulent website. We will show you how to recognize these further down the article.
  • Files & Links: cybercriminals may use attachments or links to insert malware or to request sensitive information. If nothing happens when you click a link or submit information on its website, it could trigger a hidden malware download.

Examples of whaling attacks

  • From ‘within’ the company

In 2016, a top finance executive of Mattel got a fraudulent email from someone impersonating the new CEO. They had a regular request for a new vendor payment to China. By falling into the phishing scam, the company lost $3 million but managed to get it back after an arduous fight.

  • From a third party

The following email scam tricked a handful of executives from different industries. The cybercriminal sent a fake email from the United States District Court with a subpoena to appear before a grand jury in a civil case. The emails included the executives’ name, company, and phone number, deceiving them that it was official. When they clicked on the link for the subpoena, they got malware.

  • With phone calls

The National Cyber Security Centre (NCSC) of the United Kingdom confirms that some whaling emails got backed with phone calls from the cybercriminal authors. A simple trick such as this can make their scam believable, but there are ways to prevent falling for one.

How to protect yourself from a whaling attack

Apart from losing money or data, whaling attacks affect the reputation of the victim and their organisation. Some companies have let go of employees that fell for social engineering tactics, such as FACC, who fired their CEO. And, unfortunately, there is a yearly increase in cybersecurity attacks along with a rise of targeted victims, according to HP

To avoid being part of the victims’ statistics, we recommend following these tips:

1 – Be aware

Know that there are different types of attacks and that they can be well disguised. When receiving a particular request, remember to:

  1. Double-check the sender’s email if it is from a colleague. When it comes from a third party, search for the authentic one.
  2. Check if the domain on the link slightly differs from the one it tries to pass by. If so, it is a fraudulent website. If the link is embedded on a word or image, then hover over it with your mouse. You will see the domain appear at the bottom-right corner of your browser.
  3. Check the fraudulent website’s domain age to see if it matches the trusted one. If the fraudulent domain is younger, then it should not be trusted.
  4. Question the validity of the request for money or sensitive information.

URL redirect checker: shows you the path where a link will take you to.

Website screenshot service: screenshots a site when providing a link, allowing you to view it before accessing it.

Domain age checkers: insert a questionable link and a link from the authentic site to see if their ages match.

2 – Know the power of social media

Anything posted online can work against your favour. A whaling email could be personalised with photos, names, dates, and many other details found on social media. It is also common to publish content from conferences or company events, meaning that employees should pay extra attention to scams after participating in these since scammers will likely refer to them.

A good practice is to set personal social media accounts to be private. However, it does not fully protect from content published by the company’s public channels (newsletters, social media, website, etc.). The next tip can help with this issue.

3 – Adopt company-wide data protection policies

A common understanding of what type of information can be shared publicly prevents cyber attackers from using it. By establishing cybersecurity best practices within your organisation, a sense of responsibility and accountability can also rise among colleagues, protecting against substantial losses.

Some data protection policies that companies take are:

  • Flag third party emails: makes it easier to identify email scams pretending to be colleagues.
  • Verify requests: when getting particular or urgent requests from a colleague’s email, it is a good idea to confirm it with them. Talking in person, via a message, or a call can reassure you that it is not a scam.
  • Multi-step verification: any request for a wire transfer or sensitive information should go through various checks with different people before taking place. For example, having two people signing each high-value money transfers can be a simple solution. It also lowers the fear factor of being the only responsible employee for such transactions, allowing more clarity to make an important decision.

4 – Anti-phishing tools and courses

Scammers will always be a step ahead of the restrictions they face. Using tools and cybersecurity courses can help you identify their patterns and prevent whaling attacks as much as possible. For example, a good practice could be for the IT department to send out fake whaling attacks to its colleagues. By testing their reactions, the employees can learn to be safer from the feedback of the test.

As for tools, there is anti-phishing software that can recognize fraudulent links and malware downloads. Also, a secure and private email provider, such as Mailfence, can keep away spam, ads, trackers, hackers and solicitations. Such tools can give users peace of mind from many social engineering tricks.

Get your private email

What to do if you fell for a whaling attack

If you suffered from social engineering and/or your email got hacked, read our blog post on Steps to take when your email is hacked. It explains how to control the damage, report it and prevent future hacking attacks.

If you were using a work’s device or account, communicate with your supervisor and the IT department as soon as possible. They can alert other employees and ensure that everything is secure again. Also, the sooner you report the incident, the less time the attackers have to worsen the damage. And, your organisation can do a complete communication plan that involves all affected parties earlier on.

How to prevent other types of social engineering

As mentioned before, the best way to prevent phishing attacks is to get informed. For this purpose, Mailfence created a free and easy-to-follow Email security and privacy awareness course.

The course helps users understand their threat profile to know which tips they need. Based on that, a series of articles by Mailfence share knowledge on different levels of security against cyber threats found in emails.

Get your secure email

Stay up to date with our latest articles by following us on Twitter and Reddit. For more information on Mailfence’s encrypted email suite, please do not hesitate to contact us at

– Mailfence Team