Email Threats Explained: What is Whaling?

Imagine this:

You receive an email that reads “Hi Joe, I need you to do a transfer for me before EOB. Please email the required details you will need.” Would you question the legitimacy of this message? Would you reply?

Although an email like this may come across as fairly typical and harmless, there is a good chance that it is a whaling attempt which could have devastating consequences for you and your company.

What is Whaling?

Whaling is a highly dangerous and deceptive variation of phishing designed to target high profile executives, or “whales”. The goal is to manipulate the victim into authorizing high-value wire transfers to the attacker. Unlike traditional phishing campaigns, whaling doesn’t involve employees clicking on links or becoming infected with malware. Rather, the goal of a whaling attack is to trick an individual into disclosing sensitive information through social engineering, email spoofing and website spoofing techniques. In comparison, conventional non-whaling phishing is typically an attempt to obtain someone’s login information to a bank or a social media account. The ultimate goal of all phishing campaigns, including whaling, is to scare recipients and convince them that they need to take rapid action in order to avoid consequences such as legal fees, bankruptcy, getting fired from their job, etc.

Whaling attacks are often successful because attackers are willing to devote extensive time and effort to constructing these campaigns due to their potentially high returns. As a result, threat actors conduct in-depth research on victims in order to make their fraudulent emails seen as real as possible. Attackers gather information including birthdays, pictures, hobbies, promotion announcements and relationships via social media, the Internet or compromised email accounts and use this information to craft incredibly convincing campaigns. And these campaigns have the potential to do significant damage. The FBI has reported that since 2013, over $12 billion has been unwittingly sent by 78,617 companies through the successful exploitation of CFOs and finance leaders in the U.S., UK and Europe.

Did you know: Since spear phishing is a highly targeted variation of phishing, whaling may also be considered spear phishing.

How Exactly Does a Whaling Scam Work?

Whaling involves a fraudulent email or web page that masquerades as one that is authentic and urgent. Whaling messages are crafted to look like a critical business email from someone with legitimate authority.

A whaling attempt may look like a link to a regular, familiar website. When you click on a malicious link which directs you to a fraudulent website, a login page likely prompts you for your username and password. When you try to submit your information into the login fields, you're likely told that what you entered was incorrect and that you should try again. This is the scam!

The information that you entered into the fake site is sent to the attacker and then you are redirected to the legitimate website. This time, your username and password (which were correct in the first place) work just fine. However, the attacker now has your username and password to this website and you have no idea that this information has been compromised.

Other whaling attempts may trick you into downloading a malicious program in order to view a document or image. The program is then used by the attacker to track everything you type or delete things from your computer.

A Serious, Persistent Threat that Does Not Discriminate 

Recently, threat actors have been imitating high-level executives in the shipping industry in costly whaling campaigns. However, whaling attacks are a threat to businesses of all sizes across all industries. In one notorious 2016 whaling attack, a Snapchat employee received an email from a threat actor pretending to be the CEO. The employee was tricked into giving the attacker payroll information. Another high-profile whaling attack from 2016 involved a Seagate employee who unknowingly emailed income tax data to an unauthorized third party. This resulted in the compromise of personal information of thousands of individuals. While whaling attacks that target smaller companies are less prevalent in the media, they still occur on a regular basis and can have devastating implications for a small or medium sized business.

How to Recognize a Whaling Email

Whaling emails are crafted utilizing advanced social engineering tactics to target and deceive users; however, there are various best practices that individuals should implement which will increase their chances of recognizing these dangerous emails:

• Evaluate the sender’s email address: Does it look correct? Are there added letters and/or numbers within the username? Does it use the correct domain?
• Check for spelling and grammatical errors in the subject line and the body of an email. Errors can indicate that an email is not authentic. Also, keep an eye out for suspicious subject lines and signatures.
• If an email appears suspicious in any way, make a phone call to the sender to confirm the legitimacy of the message.

The image below is a whaling email which was identified and quarantined by Guardian Digital EnGarde Email Security Gateway. At first glance, it may look like a legitimate email from a CEO or a CFO to an employee; however, there are multiple “red flags” that indicate that this is a whaling email. Some indications that this is a fraudulent email include: 

1. Suspicious “Reply to” address
2. Urgent tone: trying to convince the recipient to act without thinking things through
3. No signature

These are several indications that this is not a legitimate email which users may not be aware of or remember to look for in every message that they receive. Thus, an advanced, threat-ready email security gateway is imperative to effective business email protection.

Best practices to prevent successful whaling attacks:

• Check carefully for spoofed email addresses or names. Make sure that the sender’s email address perfectly matches the company name and format.
• Be aware of what you click on. Stop and think before responding to any email you receive.
• Review all URLs you receive via email in your web browser. By determining whether anything looks suspicious, you can greatly decrease your chances of being attacked.
• Prioritize effective security awareness training.
• Review existing processes, procedures and separation of duties for financial transfers and other important transactions such as sending sensitive data in bulk to outside entities.
• Consider new policies related to “out of band” transactions or urgent executive requests.
• Review, refine and test your incident management and phish reporting systems.
• Be wary of any communication that is exclusively e-mail based and establish a secondary means of communication for verification purposes.
• Be mindful of phone conversations. Whaling victims have reported receiving phone calls from threat actors requesting personal information for verification purposes.
• Executives should take special care when sharing information online or on social media sites like Facebook, Twitter and LinkedIn. Details such as birthdays, hobbies, holidays, job titles, promotions and relationships can all be used by threat actors to craft more sophisticated campaigns.
• Invest in a comprehensive, fully-managed email security gateway that provides complete, end-to-end protection and utilized advanced encryption methods including DKIM, SPF and DMARC.

How to Report Phishing:

If you receive any type of phishing email, report it immediately. The information you give is critical in fighting scammers. Follow these steps to report a phishing email:

Step 1. If you received a phishing email, forward it to the FTC at This email address is being protected from spambots. You need JavaScript enabled to view it. and to the Anti-Phishing Working Group at This email address is being protected from spambots. You need JavaScript enabled to view it.. 

Step 2. Report the phishing attack to the FTC at ftc.gov/complaint.

Do Executives and Managers Really Fall for These Scams?

Yes, unfortunately it is extremely common for managers and executives to fall for whaling scams. In the notorious 2008 FBI subpoena whaling campaign, approximately 20,000 CEOs were attacked and about 2,000 of them fell for the whaling scam by clicking the link in the email. They were convinced that doing so would download a special browser add-on to view the entire subpoena. The linked software was really a keylogger that secretly recorded the CEOs’ passwords and forwarded those passwords to the attackers. As a result of this successful attack, each of the 2,000 compromised companies was hacked even further once the threat actors had obtained the information they were after.

It is especially important that finance, payroll, and human resources departments stay alert for these scams, as almost 50 percent of whaling campaigns target the CFO and 25 percent target HR inboxes.

What is your company doing to protect against whaling? Have you or someone you know ever received a whaling email? We’d love to hear your story.

Please reach out to us on social media: Twitter | Facebook

Stay tuned for our next Email Threats Explained blog post on ransomware!