What is CEO fraud or Whale Phishing (Whaling)?


In 2014, Sony was a victim of a huge data leak. Over 100 Terabytes containing confidential company activities were breached, resulting in well over $100 million lost. The phishers pretended to be colleagues of the top-level employees who opened the malicious attachments in the phishing emails.

Whaling attacks, a specific phishing attack targeting high-level individuals within an organization, pose a significant threat to businesses worldwide.

But what exactly is a whaling attack, and how does it differ from other types of phishing attacks?

In a whaling attack, cybercriminals use social engineering tactics to target individuals such as CEOs and finance managers. By using tactics similar to phishing, such as email and website spoofing, they trick their targets into performing specific actions, such as divulging sensitive information, transferring money to fraudulent sources, or gaining unauthorized access to computer systems.

So why are high-level individuals such as CEOs and finance managers targeted in whaling attacks?

One reason is that they often have access to sensitive information or control over financial resources, making them valuable targets for cybercriminals. Additionally, by posing as someone specifically senior or influential within the organization, the fraudulent communication can appear more convincing and less likely to be refused. 

The potential losses from a successful whaling attack can be staggering. SlashNext analyzed billions of link-based URLs, attachments, and natural language messages in email, mobile, and browser channels over six months in 2022 and found:

“More than 255 million attacks —a 61% increase in the rate of phishing attacks compared to 2021.”

So what can organizations do to defend themselves against whaling attacks?

1- Educate your employees.

Organizations should train their key staff members to remain vigilant and suspicious of unsolicited contact, especially if it involves sensitive information or financial transactions. They should also be taught to identify telltale signs of an attack, such as spoofed email addresses and names, and carry out mock whaling exercises to test their reactions. According to a report by the Aberdeen Group, regular anti-phishing training for employees can reduce phishing susceptibility by 50%.

2- Deploy anti-phishing software.

It is also an effective defense against whaling attacks. There are many solutions available to avoid becoming a victim of spam or phishing-based scams, and our team of experts at EDM is ready to explore your options.

3- Optimize your safety procedures.

Executives should also be cautious when sharing information on social media, as cybercriminals may use the information to craft more sophisticated attacks. Organizations can reduce the danger posed by spoof emails by automatically flagging external emails for review by the IT department and by adding an extra level of validation for the release of sensitive information or large sums of money. Changing procedures so that two people must sign off payments provides a second point of view and reduces the fear of retribution by a senior person should they refuse to comply. This method also removes the fear that staff may have in refusing a request from someone they deem to be important.


Whaling attacks are a growing threat to organizations of all sizes. However, by taking proactive measures such as employee education, anti-phishing software deployment, and procedure changes, businesses can significantly reduce their risk of falling victim to this type of cyber-attacks. It is essential to remain vigilant and informed about the evolving tactics of cybercriminals to protect against potential threats.

Contact us to discuss your options for anti-phishing software deployment!

    Subscribe to our Newsletter

    Subscribe to our newsletter to receive product and company announcements.