Skip to main content


Home Whaling

Whaling

Whaling definition

Whaling is a type of social engineering phishing attack that targets specific high-ranking employees. While phishing attacks are often generic and may be targeted at anyone, whaling requires a lot of research. The goal is to successfully impersonate a senior executive to either get paid or steal extremely sensitive information that could be used for ransom or sold for a huge profit. The attack relies on the idea that a direct order from your boss’ boss will make you panic, drop your guard, and perform the action (like transferring a large sum of money) without thinking.

See also: CEO fraud

Real-life whaling examples

  • In 2016, Seagate’s HR department received an email from a scammer impersonating the company's CEO. They sent the requested data, leaking the personal details of about 10,000 employees.
  • In 2016, Austrian plane company FACC lost 56 million dollars to whalers. Its CEO and CFO lost their positions as a result of the attack.

How to prevent whaling

  • Contact the person by phone or in person if you suspect a message from them might be fake.
  • Get into the habit of checking emails for clues that they may be fake — at least inspect the sender’s email address.
  • Limit how much of your employee data is available online so it’s more difficult to impersonate them.