Whaling - Definition & Explanation

Whaling is the most dangerous form of spear-phishing. The name is derived from "big fish"—instead of targeting many ordinary employees (phishing), whaling targets the "big fish": CEOs, CFOs, CISOs, board members, and other C-suite executives.

Why CEOs Are Particularly Vulnerable

Executives are attractive targets for several reasons:

Decision-making authority: CEOs can authorize payments directly
High-value access: Access to M&A data and strategic plans
Time pressure: Executives are busy—little time for follow-up questions
Status authority: Emails from CEOs are rarely questioned
Abundance of OSINT: LinkedIn, interviews, conference appearances = extensive research base

Anatomy of a whaling attack

Phase 1: OSINT reconnaissance (weeks to months)

Attackers intensively gather information:

LinkedIn profile: career, connections, activities
Company website: executive team, organizational chart, press releases
Annual reports and investor relations: financial data, strategy
News articles: interviews, quotes, current projects
Conference talks: agenda, presentations, speaker bios
Xing, Twitter/X: personal interests, travel activities

Phase 2: Constructing an attack scenario

Credible contexts for whaling:

M&A scenario: > "I am the attorney handling the acquisition of [real company]. The NDA phase requires a strictly confidential payment of €2.3 million. Please transfer the funds by Friday at 5:00 PM—the legal team has been instructed."

Tax/Regulatory Authority Scenario: > Email purportedly from an auditor or tax authority: "Tax audit in progress—confidential payment required by Monday."

Board Member Request: > Spoofed or lookalike email from a known board member: "Confidential acquisition project—CFO, please do not inform anyone else."

Phase 3: Spear-Phishing Email

The whaling email is handcrafted:

Real names of colleagues, lawyers, banks
Correct email signature replicated
Reference to real current projects (from OSINT)
Urgency + confidentiality ("Don’t talk to anyone about this")
Plausible sender domain (spoofing or look-alike: arnwelt-consulting.com instead of arnwelt.com)

Notable Whaling Cases

FACC AG (2016): Austrian aerospace group lost €50 million due to a fake CEO directive sent to the CFO. The CFO was fired.

Crelan Bank (2016): Belgian bank lost €70 million due to a whaling attack targeting the CEO.

Ubiquiti Networks (2015): $46.7 million stolen via compromised email communication between the CEO and CFO.

Levitas Capital (2020): Australian hedge fund lost nearly everything following a whaling attack—the fund was liquidated.

Whaling vs. Regular Phishing

Feature	Mass Phishing	Spear Phishing	Whaling
Target audience	Everyone	Specific department	C-suite
Effort	Minimal	Days	Weeks/months
Customization	0%	Moderate	High
Success rate	0.1–3%	15–30%	50%+
Potential damage	€100s	€10,000s	€1 million

Protective Measures

Technical

DMARC p=reject: prevents email spoofing of your own domain
Email banner for external emails ([EXTERN] tag in the subject line)
Lookalike domain monitoring (register/monitor variants of your own domain)
Separate email address for the executive board (not listed in legal notice)
Dual-control principle for wire transfers > threshold amount

Process

Callback procedure: Confirm financial instructions by phone (known number!)
No email-only for wire transfers > X € – second channel always required
Travel communication: Advance notice when CEO/CFO is traveling – higher risk of attack
"No exceptions": Even CEO instructions follow the approval process

Awareness

C-suite receives dedicated whaling training (not generic phishing training)
Simulated whaling attacks on the executive board (with a warning message if "successful")
Limit public LinkedIn posts (less OSINT attack surface)
Be aware of "social engineering" in travel situations—in hotels, at conferences

Whaling is not a technical problem—it is an organizational one. The best firewall is useless if the CFO approves an email that appears to be from the CEO.