What we're talking about… Categories / Cybersecurity

Understanding the Anatomy of a Whaling Attack

Whaling Attacks

Whaling attacks are on the increase. If you understand how they work, you’ll be better prepared to protect your business.

A whaling attack is a form of phishing email attack. Cybercriminals who send whaling attack emails disguise themselves as senior executives within a business, and ask employees to carry out money or data transfers. The term whaling attack is a play on words – a whale being a big ‘phish’ – and they have resulted in millions of dollars of losses for their victims.

In this blog post we’ll explore the anatomy of a whaling attack, and provide guidance on how to protect your business.

How a Whaling Attack Works

Whaling attacks tend to follow a standard approach. It’s simple but effective, which makes the attacks surprisingly easy to replicate by cybercriminals: –

  • Identify the target. The first stage of a whaling attack is to identify a target. This tends to be a senior executive at a business. The cybercriminal will research the individual and organisation through their website, LinkedIn profiles, and so on.
  • Register a domain name. The attacker will then register a similar domain name to the target organisation. For example, instead of they may register The aim is for the domain to appear legitimate at first glance.
  • Send a phishing email. The cybercriminal will send an email to a member of the finance team, using the domain name they registered to impersonate an identified senior executive. The email may use pressure to encourage the recipient to carry out a bank transfer urgently.
  • Trick the email recipient. For a whaling attack to be successful, the communication between the cybercriminal (posing as a senior executive) and the finance team member should appear as genuine as possible. When they are confident that the victim is engaged – sometimes after a number of emails – the cybercriminal will request the bank transfer.
  • Carry out the transfer. Cybercriminals carrying out a whaling attack will often deliberately target an individual with single sign-off approval for transfers. If the whaling attack is successful, the victim will carry out the transfer to the cybercriminals’ account.

Whaling attacks are surprisingly simple in principle, but they can require a lot of time and research to be effective. But that doesn’t mean that they aren’t extremely lucrative for cybercriminals.

The Rise of the Whaling Attack

Mimecast published some startling statistics regarding whaling attacks in late-2015: –

Whaling Attack

So why are whaling attacks so successful? The straightforward reason is that they work. If the cybercriminal sends a credible looking email, they are often able to exploit the good will of the victim and convince them to make the bank transfer.

Whaling attacks often exploit business’ weak authentication controls. By posing as a senior executive, the cybercriminal utilises the lack of a second sign-off to force through a transaction that would otherwise be halted.

Protect Yourself from Attack

The best protection from whaling attacks is often staff training and awareness. Your staff are your first line of defence, and if they follow email best practices you will significantly reduce the risk of suffering damage.

Some basic steps you can take to protect your business are: –

  • Keep your email security up-to-date. If you utilise Mimecast for email security, you may wish to consider implementing their Targeted Threat Protection service for additional protection.
  • Educate and inform. Train your employees on how they can recognise a whaling attack and the tactics that cybercriminals utilise.
  • Don’t be pressured into carrying out transactions. You should be suspicious of any email that you feel is trying to pressure you into carrying out a transaction.
  • Look at tone of voice. Look carefully at tone of voice. If something feels wrong – maybe the email uses language you wouldn’t usually expect from the sender – then treat it with suspicion.
  • Follow email best practices. Unless you’re confident who an email is from, never open attachments, click on links, or fill in embedded forms.
  • Review your processes. Are there sufficient controls in place when it comes to your authentication processes? You may want to introduce second sign-off for transactions in order to give you a better chance of spotting a whaling attack.

Cybersecurity Services

Capital Support offer a comprehensive suite of Managed Security services that will help your business improve its security posture. This includes Cyber Secure Managed Phishing, a service that trains users on how to respond to whaling attacks and other forms of phishing. Contact us if you’d like to learn more.

Toby Shackleton
Toby Shackleton