← Back to BlogBusiness Security

Whaling Attacks: When Scammers Go After the Big Fish (Your CEO)

Whaling Attacks: When Scammers Go After the Big Fish (Your CEO)

Phishing attacks that target everyone are "fishing." Targeted attacks on specific people are "spear phishing." And when criminals set their sights on the biggest targets in an organisation — the CEO, CFO, Managing Director, or business owner — it's called whaling. Because they're going after the big fish.

Delightful nautical metaphors aside, this is serious business.

What makes whaling different?

Whaling attacks are:

  • Highly researched. The attacker knows who you are, your role, your communication style, your current projects, and your key relationships.
  • Highly targeted. This isn't a bulk email — it's crafted specifically for you.
  • High value. Executives have access to financial systems, strategic information, and company data that make a successful attack extremely lucrative.

How whaling attacks work:

Targeting the executive: The criminal researches the CEO on LinkedIn, the company website, news articles, and social media. They learn about upcoming deals, partnerships, and who the CEO regularly communicates with.

They then send a tailored phishing email — perhaps impersonating a board member, a major client, or a government agency — with a convincing request.

OR — using the executive as the weapon: Criminals impersonate the CEO to attack staff. An email appears to come from the MD demanding an urgent transfer. This hybrid attack (whaling meets Business Email Compromise) is devastatingly effective.

Real whaling tactics:

  • Fake legal notices sent to the CEO requiring them to log in to a portal
  • Fake supplier communication designed to look like an ongoing deal
  • Fake investor or bank communications
  • Fake government compliance notices requiring immediate action

Protecting your executives (and your business):

  1. Limit how much personal/professional information is publicly available about your leadership team. Review what's on the company website and their LinkedIn profiles.
  1. Implement a verification process for all financial requests — including from the CEO. The CEO shouldn't be exempt from payment verification processes. In fact, CEO requests should require extra scrutiny.
  1. Use email authentication (DMARC, DKIM, SPF) to make it harder for criminals to spoof your executives' email addresses.
  1. Brief executives specifically on whaling. The target needs to know they're a target.
  1. Create a safe reporting culture. Staff need to feel comfortable questioning unusual executive requests without fear of consequences.

The irony

The people most targeted by whaling attacks are often the same people who exempt themselves from security policies because they're "too busy." That exemption is itself a vulnerability.

Train yourself and your team at Phishbate — free →

Think you can spot a phish?

Put your knowledge to the test with the Phishbate interactive quiz. It only takes a few minutes.

Take the Quiz →