5 Worst Whaling Attacks | Whale Phishing

Whaling attack

Whaling attacks are a growing concern in the world of cybersecurity. These attacks are highly targeted and focus on high-profile individuals within organizations, often with the goal of manipulating victims into authorizing high-value transfers to the attacker. In this article, we’ll explore five devastating examples of such attacks and discuss methods to protect your organization from becoming a victim.

Understanding Whaling Attacks

What is a Whaling Attack?

Whaling is a type of phishing attack that targets high-profile or senior individuals within an organization, such as executives, board members, or other high-ranking employees. These individuals are referred to as “big fish” or “whales,” hence the term “whaling.”

How does it work?

The primary goal of this attack is to trick the individual into disclosing personal information or any corporate related information using techniques such as email spoofing, social engineering and personalized content for the target. The attacker makes sure the email appears to be from a trusted source and also creates a sense of emergency which cancels out the time to check the integrity of such emails.

The emails are highly customized and personalized and often contain targets name, organization, job title and other relevant information from various sources to make the attack hard to detect. Attackers largely use social media such as Facebook, LinkedIn, Instagram to gather information on the victim to make the attack more realistic.

Before diving into the examples of these attacks, let’s clarify how these attacks differ from other types of phishing attacks.

Phishing vs. Spear Phishing vs. Whaling

Phishing is a broad term for any attempt to deceive users into providing sensitive information or gaining unauthorized access to their accounts. Spear phishing is a more targeted form of phishing, where attackers research their victims to create personalized messages which are connected to their day to day activities on web. These attacks are a specialized form of spear phishing that focuses on high-ranking individuals within an organization, such as CEOs or CFOs.

Phishing vs. Spear Phishing vs. Whaling
Phishing vs Spear Phishing vs Whaling

Attack Techniques

Attackers employ various tactics to appear legitimate, such as using industry jargon, exploiting their target’s emotions, and harvesting personal information from social media profiles like LinkedIn. This level of personalization makes these attacks highly effective and difficult to detect.

Some common techniques are explain here:

  1. Email Spoofing: Attackers often create emails that appear to come from a legitimate source, such as a high-ranking executive or trusted business partner. They may use the actual email domain of the target organization or a similar-looking domain to deceive recipients.
  2. Social Engineering: By gathering personal and professional information about their targets through social media and other sources, attackers can craft highly personalized messages that appear genuine and relevant to the victim. This can include mentioning recent events, using company-specific language, or referring to ongoing projects.
  3. Urgency and Pressure: Attackers often create a sense of urgency to pressure their targets into acting quickly, without taking the time to verify the legitimacy of the request. They may use tactics such as claiming that the funds are needed for an important business deal or to resolve a critical issue.
Email Spoofing
Email Spoofing

Devastating Attack Examples

Now let’s revisit the five devastating examples of such attacks and examine how they were executed and look into the reasons why they were successful.

1. Snapchat Payroll Information Leak

The attack on Snapchat was carried out on 2016 in which attackers sent mail to a high ranking employee at snapchat pretending to be the CEO. An email supposedly from Evan Spiegel was sent to the HR staffer, who responded with the information requested. The attacker used an urgent tone to request the payroll information. The payroll department failed to verify the legitimacy of the email, and as a result, sensitive employee data was leaked.

2. Mattel’s Financial Loss

The attacker impersonated the new CEO and requested the transfer at a time when the company was undergoing a leadership transition. The finance executive did not verify the authenticity of the email or the transfer request, leading to a loss of $3 million. The attack on Mattel’s succeeded due to the timing of the request.

Mattel’s Financial Loss

3. Ubiquiti Networks Scam

Ubiquiti Networks Inc., the San Jose based manufactured of networking high-performance networking technology for service providers and enterprises. A member of staff in one of its subsidiary companies based in Hong Kong fell victim to what is known as a “CEO scam” or a “Business Email Compromise (BEC) attack.

The attack on Ubiquiti Networks was successful because the attacker impersonated a high-ranking executive, used company-specific language, and created a sense of urgency. The finance department did not question the legitimacy of the email or the wire transfer instructions, resulting in a $46.7 million loss.

4. Austrian Aerospace Company FACC

FACC, which supplies aerostructures, engines and nacelles, cabin interiors and aftermarket services to major airline customers like Boeing and Airbus. A senior executive fell victim to email which was appeared to be from the CEO – Walter Stephan

The attack on FACC succeeded because the attacker posed as a company senior executive and requested a transfer for a seemingly legitimate business purpose. The employees involved did not verify the authenticity of the email or the transfer request, leading to a massive financial loss of €50 million ($54 million).

5. Belgian Bank Crelan

The attack on Crelan was successful because the attacker was able to deceive the bank’s employees into transferring funds to a fraudulent account. The attacker likely used a combination of email spoofing, social engineering, and urgency to manipulate the employees, resulting in a loss of €70 million ($75 million). The activity came to light during the internal audit which flagged large transfers.

By examining these examples, we can see that the key factors that contributed to the success of these attacks include the use of email spoofing, social engineering, and urgency to deceive their targets. Organizations must prioritize security awareness training and implement robust security measures to protect against these tactics.

Preventative Measures

Protecting against such attacks involves mix of employee security awareness, having data detection policies in place and protection of infrastructure.

1. Employee Security Awareness Training

Preventing such type of cybersecurity threat requires awareness of all the employees including the low-level employees to the senior executives such as CEOs. They must be trained in identifying such type of attacks and should have basic awareness to these type of attacks. Employees should be aware of how a social engineering attack tactics look like and should be able to differentiate between fake email addresses that mimic to be trusted source. For example, if an employee regularly corresponds to mail address that reads [email protected], the hacker might send malicious mail from [email protected] to gain trust of the employee. The employee should be very cautious when dealing with financial mail requests as that can be mostly targeted by the attacker.

Employee Security Awareness Training

2. Two-Factor Authentication

Implement two-factor authentication (2FA) for critical systems and processes, such as wire transfers and sensitive data access. 2FA adds an extra layer of security, making it more difficult for attackers to gain unauthorized access. Also monitor all the emails and attachments from outside the organization for malware, viruses etc. to identify any potential malicious traffic.

3. Email Filtering and Monitoring

Use email filtering and monitoring solutions to block potential suspicious emails and flag emails from external sources for review. Data security policies should be set in place to ensure emails and files are monitored for any suspicious network activity. These will provide layered security against such type of attacks and decrease the chance of a breach. Rules can be set to block phishing emails before reaching the potential victim.

4. Social media Education

Social media turns out to be rich in information for the attackers to learn about the target such as CEO to craft a highly personalized mail pretending to be them. The high level executives should limit the availability of information on the social media by setting up privacy restrictions on their social media accounts. This will reduce the chances of a cyber criminal from imitating the senior executive.

5. Regular Security Audits

Conduct regular security audits to identify vulnerabilities and assess the effectiveness of your organization’s security measures.

6. Incident Response Plan

Develop and maintain a comprehensive incident response plan to address potential attacks. Ensure all employees know their roles and responsibilities in the event of an attack.

7. Integrating Anti-Phishing tools and Services

Many vendors offer anti-phishing software which can help in preventing such type of phishing attacks. These solutions also can help in spreading employee awareness and also in executing drills of such situation on employees. Organizations can also opt for Anti Phishing Services to combat phishing attacks.


What is a whaling attack?

A whaling attack or whaling email attack is a type of phishing attack that specifically targets high-level executives or important individuals within an organization, such as CEOs, CFOs, and other senior executives. The name “whaling” comes from the idea that these attackers are hunting for big fish or high-value targets.

What is the difference between phishing and whaling?

Phishing attacks are more general and target a wider audience, while these attacks are highly targeted and focus on specific individuals within an organization.

How do you recognize a whaling attack?

1. The email or message appears to come from a high-level executive or other important individual within the organization, but the message content or language seems unusual or out of character.
2. The message is urgent or requests that the recipient take immediate action, such as transferring funds or providing sensitive information.
3. The message contains a sense of authority, such as threatening the recipient with disciplinary action if they do not comply with the request.
4. The message contains a sense of familiarity, such as referencing a recent conversation or using personal details about the recipient.
5. The email or message contains an attachment or link that the recipient is prompted to download or click on.

What Type of Phishing Attack is Whaling?

Whaling is a type of phishing attack that is more sophisticated and carefully crafted than other phishing attacks, with messages that are highly personalized and often appear to come from a trusted source, such as a colleague or business partner

What are impersonation Attacks?

Impersonation attacks can take many different forms, but some common examples include:

1. Email spoofing: the attacker sends an email that appears to come from a trusted source, such as a colleague or business partner, but is actually from a fake or compromised email account.

2. Social media impersonation: the attacker creates a fake social media account that appears to belong to a real person or organization, and uses it to gather information or carry out fraud.

3. Website impersonation: the attacker creates a fake website that appears to be legitimate, such as a banking or e-commerce site, and uses it to collect login credentials or other sensitive information from unsuspecting victims.

4. Caller ID spoofing: the attacker uses software to disguise their phone number and appear as a trusted caller, such as a bank or government agency, in order to convince the victim to divulge sensitive information.


These attacks are a growing threat to organizations, and the examples discussed in this article highlight the devastating consequences of falling victim to such attacks. By implementing robust security measures and raising awareness among employees, organizations can significantly reduce their risk of becoming a target.

It is crucial to understand that the these attacks are executed using the means of social engineering and use methods to exploit the trust existing in and out of the organization. These tactics used by attackers are ever evolving and getting more sophisticated. To combat them effectively, it is recommended to opt for a phishing attack simulation platform, at PhishGrid we provide basic phishing simulations attacks for free. To schedule a free phishing simulation for your organisation, you can contact us and schedule a call.

You can also run phishing attack simulations on your own by following our guide on how to design a phishing attack simulation. Now that you know about such attacks and how it works you can be more vigilant to avoid such devastating loss.

Lichumon is an enthusiastic SOC Analyst with a keen interest in exploring the complexities of the dark web and human risk factors in cybersecurity. Despite being early in his career, his eagerness to learn and adapt sets him apart. Balancing vigilance and curiosity, Lichumon navigates the ever-evolving cyber threat landscape with a sense of determination and commitment to continuous learning.