Whaling

What Is Whaling?

Whaling is a highly targeted form of phishing attack that specifically targets senior executives and other high-value individuals within an organization — such as CEOs, CFOs, and board members. The term plays on the idea of going after "big fish." Unlike broad phishing campaigns, whaling attacks are carefully researched and personalized, often impersonating a trusted colleague, legal authority, or financial institution to manipulate the target into wiring funds, sharing credentials, or approving fraudulent transactions.

Description

Whaling is a social engineering attack that exploits the authority and access that executives hold. Because targets are high-profile and their decisions carry significant financial or operational weight, successful whaling attacks can result in major financial losses or serious data breaches.

Usage and Examples

A common whaling scenario involves an attacker impersonating the company's CEO and sending a convincing email to the CFO requesting an urgent wire transfer to a vendor account. Another example is an attacker posing as a legal authority and pressuring an executive to hand over sensitive documents. Whaling is closely related to Business Email Compromise (BEC) and phishing, and often involves spoofed email addresses, fabricated urgency, and detailed knowledge of the target's role and relationships.

Evolve Security's penetration testing services include targeted social engineering assessments to test executive-level resilience against whaling and BEC attacks.