What Is Whaling?

This sophisticated phishing technique angles for the big fish

A hook dangles over a computer keyboard depicting computer fraud known as phishing

 Paul Gregg/E+/Getty Images

"Whaling" is a specific form of phishing that's targeted at high-profile business executives, managers, and the like. It's different from ordinary phishing in that with whaling, the emails or web pages serving the scam take on a more official or serious look and are usually targeting someone in particular.

For perspective, regular non-whaling phishing is usually an attempt to get someone's login information to a social media site or bank. In those cases, the phishing email/site looks pretty normal, whereas, in whaling, the page is designed to specifically address the manager/executive on whom the attack is placed.

Spear phishing is a phishing attack against someone specific, like an individual or company. Therefore, whaling may also be considered spear phishing.

What Is the Objective of Whaling?

The point is to swindle someone in upper management into divulging confidential company information. This usually comes in the form of a password to a sensitive account, which the attacker can then access to gain more information.

The end-game in all phishing attacks like whaling is to scare the recipient; to convince them that they need to take action to proceed, like to avoid legal fees, to prevent from getting fired, to stop the company from bankruptcy, etc. 

What Does a Whaling Scam Look Like?

Whaling, like any phishing con game, involves a web page or email that masquerades as one that's legitimate and urgent. They're designed to look like a critical business email or something from someone with legitimate authority, either externally or even internally from the company itself.

The whaling attempt might look like a link to a regular website you're familiar with. It probably asks for your login information just like you'd expect. However, if you're not careful, what happens next is the problem.

When you try to submit your information into the login fields, you're probably told that the information was incorrect and that you should try again. No harm was done, right? You just entered your password incorrectly — that's the scam, though!

What happens behind the scenes is that when you enter your information into the fake site (which can't really log you in because it isn't real), the information you entered is sent to the attacker and then you're redirected to the real website. You try your password again and it works out just fine.

At this point, you have no idea that the page was fake and that someone just stole your password. However, the attacker now has your username and password to the website you thought you logged in to.

Instead of a link, the phishing scam may have you download a program in order to view a document or image. The program, whether real or not, also has a malicious undertone that's used to track everything you type or delete things from your computer.

How Whaling Is Different From Other Phishing Scams

In a regular phishing scam, the web page/email might be a faked warning from your bank or PayPal. The faked page might frighten the target with claims that their account has been charged or attacked, and that they must enter their ID and password to confirm the charge or to verify their identity.

In the case of whaling, the masquerading web page/email will take a more serious executive-level form. The content will be crafted to target an upper manager like the CEO or even just a supervisor that might have lots of pull in the company or who might have credentials to valuable accounts.

The whaling email or website may come in the form of a false subpoena, a fake message from the FBI, or some sort of critical legal complaint.

How Do I Protect Myself From Whaling Attacks?

The easiest way to protect yourself from falling for a whaling scam is to be aware of what you click. It's really that simple. Since whaling occurs over emails and websites, you can avoid all false links by understanding what's real and what isn't.

Now, it's not always possible to know what's fake. Sometimes, you get a new email from someone that you've never emailed before, and they might send you something that seems entirely legitimate.

However, if you look at the URL in your web browser and make sure to look around the site, even briefly, for things that look a little off, you can greatly decrease your chances of being attacked in this way.

Do Executives and Managers Really Fall for These Whaling Emails?

Yes, unfortunately, managers often fall for whaling email scams. Take the 2008 FBI subpoena whaling scam as an example.

About 20,000 corporate CEOs were attacked and approximately 2000 of them fell for the whaling scam by clicking the link in the email. They believed it would download a special browser add-on to view the entire subpoena.

In truth, the linked software was a keylogger that secretly recorded the CEOs passwords and forwarded those passwords to the con men. As a result, each of the 2000 compromised companies was hacked even further now that the attackers had the information they needed.