What is “whaling”, and what’s the difference from phishing

Late in December, the term “whaling” mildly spiked in cybersecurity-related media outlets. The term isn’t exactly new, but it isn’t encountered as often as “phishing”.

Late in December, the term “whaling” mildly spiked in cybersecurity-related media outlets. The term isn’t exactly new, but it isn’t encountered as often as “phishing”. In fact, as many of you may have guessed already, “whaling” is a specific kind of phishing. Just how specific?

The reason for the aforementioned “spike” is simple: Security experts from Mimecast firm have surveyed several hundreds of IT professionals in December and discovered that a distinct wave of “whaling” hit businesses – a kind of phishing attack specifically targeting C to top level executives. “Big phish”, as it is.

Yes, cetaceans are by no means “fish”, but it doesn’t matter much here: the difference between phishing and cyberwhaling is almost the same as with real-world fishing and whaling: one big target instead of a potentially large number of smaller ones, a “harpoon” instead of a fishnet, etc.

Big Phish

Targets of “cyberwhaling” are mostly executives, preferably top-level, such as CEOs, CFOs, and other high-level decision makers, people responsible for handling corporate data and finances.

Chances that they would fall for a common “spam-borne” phishing letter aren’t big, and in most cases they are hit with “something special”.


Usually phishing letters are spammed out – urbi et orbi – in the hopes that at least a few potential victims become actual ones. In a case of cyberwhaling, it is a narrowly-targeted, cleverly crafted spear-phishing letter made to look believable and trustworthy to the target.

Conjuring such a letter takes effort, of course. The possibility of doubts and reservations at the victim’s side should be brought to an absolute minimum. So both the sender’s and receiver’s regalia – title, position, etc. – as well as other, probably personal, details must be properly specified in the “whaling” e-mail.

These details are mined from wherever possible, most likely from open and semi-open sources such as social network accounts – Facebook, LinkedIn, Twitter, etc.

In most cases, whaling involves more social engineering than tech tricks. If there is some company-wide (non-personal) concern involved – supboenas, letters from tax authorities, etc. – it is very likely that the decision maker would fall into the trap.

In their letter, attackers may request downloading some additional software in order to open the full text of the “subpoena”. In reality, that would be some keylogging malware, not some arcane plugin to Adobe Acrobat. And though it is very unlikely that the official documents are sent out in some exotic formats, people occasionally fall to the trick.

There was a largely publicized phishing – or rather whaling – campaign in 2008, when literally thousands of high-ranking executives across the U.S. received official subpoenas ostensibly from the United States District Court in San Diego. Each message included the executive’s name, company and phone number, and commanded the recipient to appear before a grand jury in a civil case; instead of a copy of subpoena, however, victims were served with keyloggers.

Big phish, little difference

All in all, whaling is still a subset of phishing, and even though it is more related to social engineering, common countermeasures against phishing are still effective. While nothing compares to a human’s own ability to tell the scam from legitimate mail, the complementing technical measures and security technologies are also extremely helpful here, allowing quick and reliable confirmation as to whether the message contains anything harmful and if the provided link is dangerous or safe to visit.

Stay safe!