Pattern of whale fins raised out of the ocean.

An online phishing attack typically involves a scammer attempting to impersonate a service you use in a bid to get credentials or money out of you. Another more targeted and potentially more lucrative version of this scam is called whaling or whale phishing.

Whale Phishing Targets Businesses and Organizations

The biggest difference between a standard phishing attack and a whale phishing attack is how the scammer targets victims. While phishing attacks are sent out to hundreds or thousands of people at a time, whale phishing attacks are often far more targeted.

A whale phishing attack may target a single individual within a business using information garnered from within that organization. Scammers will put in more research to dupe their targets, which may involve studying hierarchies and company info online, or getting information from within the company itself.

For example, a scammer will usually pose as a high-level member of staff. This could be a manager or technician, or it could be the CEO or owner. Picking a figure of authority is crucial for the scam to work since the target (often lower-level employees) is more likely to fulfill a request without questioning it.

So in one scenario, a scammer may pose as a senior account manager, drawing an employee’s attention to an invoice that needs to be paid. The email may contain a link to an external website that is used to steal login credentials or contains instructions to make a payment to an account that is controlled by the scammer.

The end goals may be numerous, where scammers attempt to steal money, credentials, and plant malware. Over time this could lead to security problems, ransomware attacks, espionage, and of course a great deal of distress for those on the receiving end.

Whale Phishing Uses the Same Old Tactics

Whale phishing is essentially spear phishing with a bigger (usually corporate) payout. Spear phishing is a slightly more sophisticated version of standard phishing, where the scam is tailored to the target. A “whale” in this scenario is a bigger “catch” hence the term whaling or whale phishing.

While a whale phishing attack requires more effort and time on the scammer’s end, the tactics used are similar to a standard phishing attack. For example, the scammer may use a deceptive email address that is either spoofed or made to look very similar to an email address used by the person they are impersonating.

Since these attacks rely on a human component, whale phishing by phone is another common tactic (as it is in many phishing scams). Like phone calls, text messages may be used also just as they are in ever-growing smishing attacks. A less common tactic may include physical access, where the target is “baited” with a USB stick designed to deliver a payload.

Ultimately, being vigilant and skeptical is the best defense against this sort of attack.

Whale Phishing Isn’t New

This type of scam has been around for decades, and will likely continue to be a threat for many more. Awareness is key to avoiding this and many other types of scams, from Facebook Marketplace scams to Wordle impersonators. Check out our top tips for staying safe online.

RELATED: 10 Facebook Marketplace Scams to Watch Out For

Profile Photo for Tim Brookes Tim Brookes
Tim Brookes is a technology writer with more than a decade of experience. He's invested in the Apple ecosystem, with experience covering Macs, iPhones, and iPads for publications like Zapier and MakeUseOf.
Read Full Bio »