top of page

How to Protect Your Staff From Whaling: The Big Phishing Expedition

Cyber-ware awareness in the business sector has skyrocketed in the last five years. Between the ransomware epidemics, the phishing evolution, and the scandals relating to stolen customer financial information, every business with even a single computer or cash register should be on their toes. Among the many threats, phishing is by far the most prominent way for malware to make it's way onto business computers.  

Phishing, as you may know, is a form of social engineering hacking. The hacker creates an email they believe a targeted employee will feel compelled to open and read, In the email is some attachment that absolutely must be opened. And when it is opened, the hidden malware inside is downloaded onto the system. However, simple download trickery isn't the only form of phishing. Since it's inception, phishing has evolved several variants. Vishing, for instance, uses phone calls to further manipulate employees into enacting cyber-security risks, spear phishing targets an employee through personal connections, and SMishing targets employees through text messaging.  

But one of the most dangerous variations is something known as Whaling, because it targets or spoofs 'bigger fish'

What is Whaling?

Whaling is what happens when hackers have bigger ideas that simple malware planting and want to use the weight and power of stolen business authority. Whaling comes in two forms: Pretending to be a high-level manager or trying to fool high-level managers into misusing their authority.

In cases where the hacker pretends to be an exec or upper-level manager, they will often use this spoofed identity to give subordinates in sensitive positions to send them documents, transfer funds, or give their malware access to protected systems. They may also use this position to manipulate other execs at a similar level of authority.

In cases where the exec is the target, the hacker may pretend to be a direct report, an important client, or even a personal friend or family member. The goal is to trick the exec into using their power to provide the hacker with access to funds, files, or even set up a blackmail situation.

Identity Spoofing

In both forms of whaling, the hacker engages in extensive research on their targeted executive or upper-level manager. Social media is their primary information source, so the targeted exec is likely to be someone who is active online and who includes their work life in social media posts. A personal website, online journal, work history, and even a paid credit report may also be sources of information. Some even find a way to get examples of emails sent to and from the targeted manager so they can copy their style of communication.

Then the hacker looks into any signs of work relationships. Who the exec has talked to on social media, who they have connected with on LinkedIn, and who they stand next to in publicly available photos.

When the hacker feels the can sufficiently pretend to be the targeted executive, they begin to formulate their attack. They will either abuse the power of their faked office to force an employee to do something dangerous or they will use this information to trick the targeted exec into 'helping' a client or colleague.

Protecting Your Company from Whaling Attacks

The threat of whaling and abuse of spoofed power is enough to send any office into a paranoid tailspin, but there are better ways to defend from this insidious form of attack.

While some best practices suggest keeping company execs and managers off of social media, this is impractical in the modern corporate climate. Instead, your best approach is special cyber-security training for your top-level managers.

First, anyone in a position of authority needs to take their cyber-security training very seriously, watching out for anything that resembles phishing tactics. Don't be shy about running an email by IT if you think it's suspicious.

Second, always use two forms of confirmation for unusual or sensitive requests. This rule should be company-wide. If an employee in the finance department gets an unexpected request to transfer funds, they should never take this at face-value. If a sensitive document needs to be shared, it's vital to double-check that request before following through. Two-form confirmation means not directly answering the email. Make a phone call, send an instant message, or pop your head into a colleague's office before enacting the request or command. If they didn't send the message, it's a whale.


Don't let hackers using spoofed authority leave your company open to attacks. For more information about how to protect your company, managers, and staff from whaling and other forms of creative hacker attacks, contact us today!


Recent Posts

See All
bottom of page