What Is Whaling Phishing? How To Avoid Executive Fraud

Scammers Are Targeting Executives. Are You Safe?

When a Snapchat employee received an email from the company’s CEO asking for payroll information, the employee sent the records right away. But within just four hours, the truth came out. The message from the “CEO” was actually a cybercriminal impersonator targeting the company’s employee data [*].

Cyberattacks like these can have devastating impacts on organizations and employees. According to the FBI's latest data [*]:

Cybercriminals stole over $26 billion from companies through Business Email Compromise (BEC) and other executive phishing scams.

Modern scammers are using more sophisticated phishing tactics to target high-ranking “big phish” in organizations. Fraudsters harness personal information available online to pose as executives. Then, they use social engineering tactics to encourage employees to send over sensitive information.

In this guide, we’ll explain what whaling phishing is, how to spot an attack, and how to protect yourself and your company.

{{show-toc}}

What Is Whaling? How Does It Work?

Whaling — also known as CEO fraud — is a type of phishing attack that targets and/or impersonates C-level executives in a company. Unlike typical phishing attacks that target seemingly random individuals, whaling happens when an attacker picks high-profile “whale” targets and then uses spear phishing tactics to go after them. 

The specificity of the target is the key differentiator here — and the reason why whaling can be so dangerous to a company. According to data from IBM, the average cost of a data breach at an American company is $9.44 million [*].

There is typically more publicly available information online about senior executives — giving fraudsters more opportunities to exploit. Additionally, high-ranking executives regularly have administrative privileges or access to sensitive company data. 

Not only do whaling scammers target CEOs and CFOs, but they also sometimes impersonate these same individuals to target employees in a company. It’s often easier for fraudsters to gain access to a junior employee’s account, which they can then utilize to go after high-value leaders.

Here’s how a whaling phishing attack targeting company employees typically works:

• Scammers research a company and pick a “whale” target. Cybercriminals use publicly available information — from press releases, social media posts and profiles (like LinkedIn), and company announcements — to learn about their “big phish” target.
• Next, they impersonate their “whale” and target other executives or employees in the company. Scammers target employees with fake emails or texts claiming to be from the CEO, executive, or another trusted source. In some cases, fraudsters follow up with a phone call to “confirm” their email request.
• The scammers make up excuses for why they can’t talk — but need help now. Hackers use social engineering tactics to create a sense of urgency and encourage their victims to act quickly. They’ll discourage any phone calls or in-person meetings, and often frame the request as a quick personal favor.
• Finally, they ask for company data, changes to payment information, or login credentials. In a whaling attack, the goal is to entice these targets to wire-transfer money from a bank account, give up credentials, or send sensitive company information. This might include intellectual property or data to which your average employee doesn’t have access.
• Once they gain access to an official company email address, they can use this to target the real CEO. In some cases, scammers first try to hack the email address of a junior employee. Once they’ve stolen those login credentials, they move on to target specific individuals in a company. Usually, these are high-level executives with more administrative privileges — and more to lose in a data breach, blackmail threat, ransomware attempt, or other attack.
• The attackers may attempt to cover their tracks. If successful, scammers often attempt to delete any evidence of the attack. This sometimes involves masking their identities by using a proxy server.

Falling for a whaling scam can have devastating personal and professional consequences. It can lead to outcomes such as company data breaches and lost revenue —  and, in severe cases, you may lose your job or even be held legally responsible.

How To Spot a Whaling Phishing Attack: 6 Warning Signs

Because this type of attack is highly targeted, whaling messages are typically more sophisticated than your average spear phishing attack or phishing campaign. The warning signs are often subtle and may be difficult to detect if you’re not sure what to look for.

Here are a few signs to help you spot and identify a whaling phishing attack:

• The sender is “in a conference” or otherwise busy — but needs your help. Whaling attacks take advantage of a victim’s desire to impress company managers and executives. These messages try to encourage you to act quickly without thinking or double-checking that the information is legitimate.
• The message is written with a sense of urgency or veiled threatening language. Similarly, hackers may sometimes impersonate a senior manager and include a veiled threat in the message. They may imply that the victim’s job will be at risk if they don’t comply with the request — encouraging targets to act quickly.
• The message is from an unknown email address or phone number. If scammers don’t have access to an executive’s email, they often send messages with a phone number, and then sign off using their target’s full name and company job title. If you don’t know your CEO’s phone number, you may believe the message is legitimate.
• The email address is similar  — but not an exact match —  to the company from which the email claims to be sent. Scammers try to earn your trust by contacting you with an email that looks legitimate but is actually slightly different. They do this by making subtle changes to the address that you’re not likely to notice — for example, swapping the letters “rn” for an “m.” Cybercriminals also use spoofed email addresses, which can be even more difficult to spot.
• The sender includes specific details or an inside company reference. Whaling attacks work by tricking targets into believing they’re communicating with people whom they know and trust. One way that scammers can do this is by including specific details or obscure references that only internal contacts should know.
• The sender requests confidentiality. To keep their actions hidden from company employees, hackers often request that the communication stay private. If you comply, this makes it much easier for them to continue the attack until they get what they want.

How To Protect Yourself From Whaling

1. Verify urgent emails and texts from executives
2. Enable two-factor authentication (2FA)
3. Store passwords in a secure password manager
4. Use antivirus and Safe Browsing tools
5. Educate yourself about common phishing tactics
6. Pay attention to the “From” name on forwarded email threads
7. Handle critical or sensitive tasks face-to-face or via phone calls
8. Limit the amount of information available about you online

Whaling attacks affect both employees and executives. To stay safe while working, follow these tips on how to identify (and protect yourself from) a whaling phishing attack:

1. Verify urgent emails and texts from executives

Whaling emails are a kind of social engineering attack designed to pressure victims into acting quickly without thinking. Slowing down when you receive email requests is one of your best defenses against whaling.

What to do if you get a suspicious message from an executive:

• Trust your gut. If something feels off about a request in an email, message, or phone call, your instincts are probably correct.
• Check the sender’s contact information. If you’re unsure if a message is legitimate, closely review the sender’s information. Make sure the person is using a company address that matches what you have on file.
• Verify the request through another executive. When in doubt, it’s always best to double-check the request with another manager or executive.

2. Enable two-factor authentication (2FA) on all of your accounts

Whaling attackers sometimes attempt to steal employee login credentials and then use those credentials to target other people in a company. Even if whaling attackers have successfully obtained your login information, having two-factor authentication enabled can prevent them from ever accessing your accounts.

2FA requires users to provide their password plus an additional form of identification (like a one-time security code sent via text or email) before being able to access their accounts.

💡 Related: How Does Two-Factor Authentication Work? →

3. Store passwords in a secure password manager

Once scammers are able to obtain your login credentials for one account, they’ll usually attempt to get into your other accounts as well. If all of your username and password combinations are the same, it’s a recipe for disaster.

A password manager can automatically create unique passwords for each of your accounts and store them securely to help prevent hacks and breaches of your personal data.

Password managers autofill your passwords for their respective sites. Since they only autofill on correct (and legitimate) sites, you can avoid accidentally entering your information into a fake login page created by scammers.

4. Use antivirus and Safe Browsing tools to protect against fake websites

One of the best phishing prevention tips is to take advantage of proactive tools that protect you from fake websites and malware.

Tools that can help safeguard you from whaling attacks:

• Antivirus and anti-malware software: Whaling and other types of Business Email Compromise (BEC) often include links or attachments that, when clicked, install malware on your device. Aura’s antivirus software can protect your device from infection if you click on a suspicious link.
• Safe Browsing tools: Safe Browsing tools can keep you from unknowingly entering phishing websites. Aura’s VPN and website blocker can block scam sites and help keep your online activities private.

5. Educate yourself about common phishing tactics

When it comes to whaling and other phishing scams, the best way to stay protected is by educating yourself.

How to educate yourself about whaling:

• Attend security awareness training. Take advantage of any cybersecurity training sessions that your company offers.
• Stay up to date on the latest phishing tactics. You can keep yourself in the loop and avoid the latest threats by subscribing to cybersecurity blogs and newsletters.
• Utilize online resources. There are countless resources online that can help you learn about phishing emails and how to avoid them. The Federal Trade Commission (FTC) has a phishing guide [*] on its website, which includes a quiz for you to test your knowledge.

💡 Related: 20 Phishing Email Examples (and How To Identify Them) →

6. Pay attention to the “From” name on forwarded email threads

Scammers may forward a legitimate email thread —  and use a similar-looking email address —  to request that you take some kind of action. If all the previous messages in the thread are legitimate, you might not easily catch the phishing attempt that is being forwarded with the thread.

Pay close attention to the “From” field whenever you receive forwarded emails — especially those asking for money or credentials. Scammers often use look-alike email addresses or spoofing to trick their targets. Keep an eye out for subtle changes in the domain name, tone, and format of the email so that you can spot potential scams.

7. Handle critical or sensitive tasks face-to-face or via phone call

Today, just about any task or request can be handled electronically. But this leaves you more vulnerable to whaling attacks since scammers often rely on avenues such as email and text messages —  both of which are easier to fake than other more direct forms of communication.

Critical tasks that involve exchanging sensitive information, manipulating data, or making financial transactions are best handled face-to-face. When that’s not possible, a phone call is a good alternative if you’re educated about vishing scams (voice scams) and what red flags to watch out for.

💡 Related: How To Identify a Scammer on the Phone →

8. Limit the amount of information available about you online

Scammers using whaling phishing tactics rely on personalized messages to gain the trust of their victims. Details like birthdays, hobbies, job promotions, and even relationships can all be used by fraudsters to craft more sophisticated messages.

How to prevent your information from being used by scammers:

• Keep social media accounts private. Lock social media accounts, like LinkedIn, so that only friends or connections can view your posts. You can also limit the visibility of your profile information for people with whom you’re not connected.
• Review and purge your accounts periodically. Even if your posts are set to “private,” information can still slip through the cracks. Do a review of your profiles several times a year to ensure there’s not too much information about you that is visible to the public.
• Don’t make your email address publicly available. Posting your email address publicly may seem convenient for customers and colleagues. But it also makes it easier for scammers to target you or hack your email account.

What To Do If You Receive a Whaling Phishing Message

• Do not respond or engage with the message or sender. If you’re not sure if the message you received is a whaling attack, you can minimize damage by simply not engaging. Avoid replying or clicking on any links or attachments within the message, even if they appear to be safe.
• Verify the authenticity of the message. To determine if a message is legitimate, contact the sender directly by creating a new email thread. Manually type in the sender’s email address (don’t copy and paste). Alternatively, you can check with your IT department to get confirmation.
• Contact your IT or cybersecurity department immediately. The sooner you alert your company’s security team to the breach, the faster they can minimize the damage.
• Disconnect your device from your company network. If your device was infected due to the breach, disconnecting can help prevent the spread of malware to other devices on the network.
• Scan for viruses and malware. Whaling attackers often use links and attachments to install malware on their target’s computer. If you clicked on or downloaded anything from the email in question, run a scan on your device to check for infections.
• Update your credentials and passwords using a secure device. If you believe your account may have been compromised, you’ll want to change your login information as soon as possible. Use a different device that’s secure, and consider enabling two-factor authentication (2FA).
• Alert partners, colleagues, and anyone else to whom you’ve recently sent emails. Let relevant parties know about the attack so they can watch out for suspicious messages or activity on their end.
• Monitor your accounts. Even after you’ve dealt with the attack, stay vigilant and keep an eye on your accounts for any signs of suspicious activity.
• Review and follow your company’s policies. Large organizations often have policies and procedures in place to help in the aftermath of a phishing attack.
• Report the attack to government agencies. Reporting whaling is one way you can help fight back against savvy phishing attempts. You can report the attack to the FTC [*], the Cybersecurity and Infrastructure Security Agency [*], and the Anti-Phishing Working Group [*].

The Bottom Line: Keep Your Company’s Data Safe

Employees and “big phish” executives are prime targets for cybercriminals. And the tactics scammers use are becoming more sophisticated every day.

With some due diligence and education, you can protect yourself and your company from these types of threats. And if you want even more peace of mind, Aura’s virtual private network (VPN), Safe Browsing, and antivirus software provide the perfect trio of tools for email security and phishing prevention in your organization.

Aura’s skilled team of U.S.-based Fraud Resolution Specialists are available 24/7 —  and if the worst should happen, every adult member on your Aura plan is covered by a $1 million insurance policy for eligible losses due to identity theft.

Protect yourself from phishing threats. Try Aura free for 14 days →