Sponsored Content

What is Whaling and How to Protect Your Business

What is Whaling and How to Protect Your Business
View 1 Image
1/1

Whaling is one of the most sophisticated forms of phishing out there. The “whale”, or the target of these scams are high-level individuals such as CEOs, senior executives, and managers. And while the motivations behind a whaling attack can vary, including stealing money, control, supply chain attack, corporate espionage, malware, or personal vendetta, the potential losses for the victims can be in the millions.

Whaling attacks aren’t rare either. According to research, 59% of organizations had executives targeted by whaling attacks, and 46% of those attacks were successful. With such alarming statistics, it’s crucial for businesses to educate their employees on what whaling scams are, how to spot them, and what to do when confronted with one.

Types of whaling attacks

Whaling attacks employ some of the most effective techniques known to scammers. These are the most common ones to watch out for:

  • Email and follow-up phone call. Cybercriminals will often follow up on a whaling email with a phone call to confirm the email request. This social engineering tactic both corroborates the email request and makes the victim complacent by giving them a 'real world' interaction that puts them at ease.
  • Impersonating a trusted partner. The most recent and sophisticated whaling attacks have access to information such as suppliers or partners of the target organization (especially if they advertise their partners such as charities, law firms, think tanks, or academic institutions). They use this information to craft extremely believable scams.
  • Impersonating colleagues. Criminals will either compromise or spoof a colleague’s email address in order to trick other employees into believing the attack is a legitimate request. These attacks often come from a “senior” and target a junior within the organization. 
  • Whaling via social media. Social media gives cybercriminals access to senior executives. They can research and contact them on these platforms. Victims are also less vigilant in social situations so scammers may try to befriend the target or pretend to be a potential business partner, love interest, peer, or authority figure.
  • Baiting. Criminals may leave an infected USB drive at the target’s office, gym locker, or even mail it to their home with the hopes that they will try to use it.

How to spot Whaling


Despite a higher level of sophistication than the average run-of-the-mill scam, there are tell-tale signs of a whaling attack that you can spot. If you know what to look for. This is why it’s vital for organizations to educate their employees.

  • It conveys a sense of urgency and puts pressure on the target to act quickly. Usually, this is done by implying adverse consequences if the requested action isn’t performed right away.
  • It uses spoofed email addresses and names. The sender’s email address may not match the domain of the company the email claims to be from or they’ll substitute lookalike letters, for example, an “m” with an “rn”.
  • They request money transfers or personal information.
  • The domain age doesn’t not match the domain age of the trusted correspondent.

Examples of Whaling attacks

  • 2015: A Hong Kong subsidiary of Ubiquiti Networks Inc. lost $47 million due to a whaling email attack targeted at a finance employee.
  • 2016: A criminal, posing as the CEO of Snapchat tricked a high-ranking employee into giving the attacker employee payroll information.
  • 2017: A small business owner lost $50,000 to a man-in-the-middle whaling attack

Some tips to protect your business from Whaling attacks

  • Educate employees. Educate your employees on the risks of whaling attacks and how to spot them. Encourage them to be skeptical of emails requesting personal information or urgent action.
  • Provide training and regular reminders to help keep the risks top of mind.
  • Conduct mock whaling exercises. Test your employees' ability to spot whaling attacks with simulated phishing exercises. This will help you identify weaknesses in your security measures and provide opportunities for further training.
  • Verify email addresses. Hover your cursor over the sender's name on an email to reveal the full email address. Check if it matches the company name and format to avoid falling for a spoofed email.
  • Be cautious on social media. Be mindful of the information you share on social media platforms like Facebook, Twitter, and LinkedIn. Cybercriminals can use this information to craft personalized whaling attacks.

Keep your data safe from scammers with Incogni

Incogni dashboard
Incogni dashboard

Cybercriminals rely on collecting as much of your personal information as possible to launch convincing whaling attacks. Protect your business by Incogni is a personal data removal tool that can help eliminate potential personal data flowing around the internet, which cybercriminals could potentially buy or possess. Removing personal data from the internet is an important aspect of cyber hygiene, as it can prevent your sensitive information from being used for malicious purposes.

Remove your personal information from the internet with Incogni now. Sign up for a 1-year subscription and get 50% off.