What is whaling?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

Imagine getting an email that looks like it came from your CEO. It mentions a real project you're both working on, references an upcoming board meeting, and asks you to wire $80,000 to a new vendor account urgently. That's whaling.

Whaling is a type of phishing attack aimed specifically at executives and senior leaders. The name plays on the fishing metaphor: if regular phishing goes after small fish (any inbox in bulk), whaling goes after the big ones. CEOs, CFOs, board members, heads of legal. People whose authority means a single click or approval can move serious money or expose sensitive data.

What makes whaling different from a generic phishing email is the homework involved. Attackers research their target before sending a single word. They'll study LinkedIn, company news, press releases, even past conference appearances. The email they send will reference real names, real relationships, and real events. There's no typo-ridden subject line about a Nigerian prince. It reads like something your actual CEO would write.

Common whaling scenarios include a fake executive asking finance to approve a wire transfer (this one alone costs businesses billions every year), a spoofed board member requesting confidential documents before a meeting, or a fake attorney claiming to represent the company in an urgent legal matter. All of them create time pressure, because urgency is the thing that makes people skip their usual checks.

Whaling works partly because executives are genuinely busy and trust that people know better than to escalate something trivial. That trust is exactly what gets exploited. And because executives also have the authority to authorize large actions without going through normal approval chains, there's often no second set of eyes on the request.

Defense is more about process than technology. Training helps, but the real fix is a standing rule: any request involving wire transfers, payroll changes, or sensitive data gets verified through a second channel, a phone call or in-person confirmation, regardless of how legitimate the email looks. One quick call before approving a transfer has stopped more whaling attacks than any spam filter ever will.

If you want to understand how whaling fits into the broader picture, it's closely related to business email compromise, which often uses the same tactics at an organizational level. Worth reading if you're building out any kind of security awareness program for your team.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Get a ranked list of whaling defenses for your role

I'm in leadership or work closely with executives, and I'm trying to understand how whaling attacks work. Based on my role and org type, what are the most realistic whaling scenarios I should prepare for, and what process changes would actually reduce the risk? Please rank from most to least impactful.

Edit the yellow boxes, then send to the AI of your choice.