What is Whaling?

May 22, 2016 by

With technology constantly advancing, life is getting simpler, with people basically controlling their everyday lives through one or two mobile devices. We are able to control our lives through our phones, laptops, iPads, and mobile phones, to name a few. In the business world, the advance in information technology has benefited our capabilities as professionals existing in a corporate environment where we perform our responsibilities and duties building our organization’s profits as a unified whole. Another world that has prospered dramatically with information technology’s rise is the dark world of cyber-crime, which grows more potent everyday with hackers using multiple strategies of virtually penetrating individuals and organizations to steal sensitive information. One very effective strategy in particular is phishing.

What Is Phishing?

Phishing is an online scam that hackers use to steal valuable information from individuals and organizations. It has become one of the most successful methods for stealing information electronically and using it illegally. Phishing is typically administered online via email and the information that is stolen includes usernames, passwords, and other sensitive data, such as a person’s full name, date of birth, and banking information, among others.

Phishing simulations & training

Phishing simulations & training

Build the knowledge and skills to stay cyber secure at work and home with 2,000+ security awareness resources. Unlock the right subscription plan for you.

History of Phishing

Phishing has been around since 1996, when a group of hackers was able to successfully hack into American Online (AOL) user accounts and steal multiple passwords. These hackers utilized emails to set up online “hooks” into the sea of internet users in the hope of phishing as many usernames and passwords to take control of their accounts. This technique eventually became known as Phishing.

How Are Basic and Advanced Phishing Done?

Phishing is a very clever online scam tactic that includes multiple processes used by the hacker to steal information for personal gain. There is basic phishing, in which hackers use basic email as their primary method of scamming. These emails usually contain information that coerces the victims to reveal sensitive information. Another basic scam is for the emails to come with a phone number that represents a customer service. Once the victim calls this number, the hacker will pretend to be a customer service representative who will gather sensitive information from the victim.

There is also a more progressed form of phishing that hackers utilize in stealing information on a mass level. This process is very detail-oriented and usually follows these steps:

Step 1

Since a good percentage of the world uses the internet to visit their favorite websites such as Facebook, Google, and Twitter, hackers purchase a domain name that is very similar to these popular websites. Instead of using Twitter, hackers re-name the domain very similarly by adding another “i”, which results in the domain name becoming “”. The difference in name is very hard to notice, which makes it easier for hackers to steal information. To add insult to injury, hackers then create a website that looks exactly like the main website of Twitter, which they use for their personal gain.

Step 2

Once the fake website is up and running, a hacker will then send out spam emails to multiple users across the web that contain the original Twitter logo as well as a notice that their accounts have encountered certain problems. These emails also usually contain a link that users can click on. When online users who have existing Twitter accounts stumble upon this fraudulent emails thinking it is really from Twitter, they immediately click the accompanying link to rectify the problem.

Step 3

When an unsuspecting individual clicks on that link, he or she will be directed to the hacker’s fake website login page. This page will also look exactly like the original login page of Twitter, with username and password boxes as along with everything else. When the individual enters their respective usernames and passwords, this information goes directly into the hacker’s database of stolen usernames and passwords.

Step 4

After entering all sensitive information on the fake website, the user will be directed into another bogus webpage designed by the hacker that informs them that the service is temporarily unavailable or undergoing maintenance and they receive an advisory to try logging in again after 24 or 48 hours. This method is effective at making users feel at ease as they disregard the message and continue with their other online activities. Once this occurs, the entire phishing scam is successful and hackers are able to use the stolen information for their personal gain at a later time.

Spear Phishing

Another category of phishing is known as spear phishing, which is a more advanced form of scamming. Spear Phishing is more advanced because the attacks are planned and directed at specific individuals or even a group of employees inside a business organization. It is more complex because hackers study their targets carefully for weeks or months at a time. They gather important information and online habits of their targets, such as favorite social media pages, online store memberships, and even more secure information such as bank accounts, social security numbers, and other sensitive information. Based on the gathered information, a hacker will craft a specialized email that they send to their targets. This email will contain a lot of vital information that a target will find difficult to ignore such as an email from a vendor with whom the organization works with. Spear phishing emails are not only far more effective than regular phishing emails; they are also much harder to detect.


A method very similar to spear phishing is whaling, which also targets specific individuals in a business organization. Whaling is different from spear phishing because hackers target the bigger fish or higher-ups in a business organization. This includes presidents, CEOs, and owners, all of whom have a lot of resources and financial capital. Money is not just the target of whaling because CEOs and presidents have access to confidential company information that can be used by a direct competitor. Hackers send phishing emails to CEOs and presidents with links. Once a CEO or president clicks on one of the links, the hacker is now able to gain control of the CEO’s computer and steal valuable information that they can sell to competitors in exchange for a large sum of money. 

Whaling Attack Success

As technology continues to progress online, hackers everywhere are developing new and more effective methods of hacking into a company’s network by targeting high-level executives. Whaling attacks are extremely deadly because they cause a domino effect of victim after victim falling prey to an attack within an organization. According to, whaling attacks during 2015 were so effective that, by June, the following countries experienced a major spike in whaling attack success. Examples of these spikes are prevalent in countries such as:

  • Brazil experienced a 9.74% hike in phishing and whaling scams.
  • India saw an 8.3% hike.
  • China saw a 7.23% rise.
  • Russia saw a hike of 6.78%.
  • France saw a 6.54% rise.

The reason why whaling attacks are so successful is because the emails being sent are so masterfully crafted that most company executives and higher-ups do not suspect anything malicious or devious about what they receive. Many times, these individuals have no idea that their email accounts have been hacked and are already sending multiple emails to their employees with specific instructions for transferring funds and other resources to other accounts. An example of a successful whaling attack occurred in December of 2015 to a chief financial officer of Te Wananga o Aotearoa, one of New Zealand’s top universities.

The Te Wananga o Aotearoa Story

In December of 2015, reports of a successful whaling scam broke out online after Bronwyn Koroheke, then chief financial officer of Te Wananga o Aotearoa, fell victim to the scam. It was reportedly carried out by hackers from China whose modus operandi was targeting high-ranking executives of many successful organizations in New Zealand. Mrs. Bronwyn Koroheke, who is an extremely decorated and experienced accountant, previously headed the accounting team for the Hamilton City Council in New Zealand’s Waikato region. Because of her expertise in budgeting and accounting, she was offered the chief financial officer position at Te Wananga o Aotearoa by the university’s chief executive, Jim Mather. Te Wananga o Aotearoa, the second biggest university in New Zealand, has reported earnings of $155 million with 32,000 students across multiple campuses in the country.

On November 19, 2015, at 12:54 pm, Mrs. Koroheke received an email from Jim Mather instructing her to transfer 79,000 U.S. dollars to a Hong Kong bank account. After receiving an invoice for the money transfer, the information in the invoice revealed that the funds were going to be used for purchasing a fitness center named “St. Paul’s College Sports & Health” at 69 Bonham Road, Hong Kong.

The email sent by the whaling hackers from China reportedly mimicked every detail of Jim Mather’s email address. The emailing process was done so expertly that she received the email directly in her inbox as opposed to her spam messages. She even reported that the email had his picture, which led her to believe that the instructions were legitimate. After the whaling scam was discovered, there was a full investigation, in which the university sought the help of Hong Kong authorities in locating the hackers. Te Wananga o Aotearoa University even froze their accounts in the hope of recovering all stolen funds. Currently, the university is confident that they will relocate the stolen funds.

As cyber-crime is expected to gain momentum for 2016, executives, employees, and individuals should take a proactive stand against this type of crime by being fundamentally aware about their online activities. The Internet is a resource that all people have the right to use and enjoy. Just because criminals use this medium to steal information and resources, you should not be afraid to enjoy your right. You should, however, educate yourself on how to detect phishing, spear phishing, and whaling activities so that you can prevent yourself and your company the heartache of losing money, information, resources, and even identity. Detecting a whaling scam is fairly easy. Let us explore the contents of a phishing or a whaling message as presented below in how to craft a whaling message.

Crafting Whaling Messages

For any cyber-criminal, emails are one of the most powerful attack methods in a hacker’s arsenal. The simple reason is that most individuals and professionals rely on email to conduct their daily personal and professional lives. What makes emailing such a dangerous online platform is the fact that hackers use them to gain control of your accounts. By crafting a well-designed email complete with links, they lure you into their trap by clicking on the accompanying links. Keep in mind that one click is all that they need to gain access of your computer.

A whaling email takes time to compose and design, as hackers need to gain your trust by appearing as legitimate as possible. This is why they create an entire website that perfectly duplicates that of a well-known bank or government service. In addition, they set up an email address that perfectly mimics that of the well-known bank. Once they complete all of these online tools, they will send out emails to individuals, employees, and executives in high hopes that one of these will take the bait.

In a business organization structure, whaling becomes an even more complex and detailed hacking procedure. This entire process of mimicking company executive emails is very difficult, considering that most business organizations spend a lot of resources to buy the best network security programs.

Avoiding Phishing, Spear Phishing, and Whaling

The simple method of avoiding any type of phishing and whaling is to always double check with your online accounts. When you receive an email, you should automatically contact your bank or online store. You should also confirm all instructions with your boss or manager in person or through telecommunications. If they do not confirm the email that you have just received, then you know that the email is a scam and you should delete it immediately from your inbox.

See Infosec IQ in action

See Infosec IQ in action

From gamified security awareness to award-winning training, phishing simulations, culture assessments and more, we want to show you what makes Infosec IQ an industry leader.

Using SecurityIQ's PhishSim program, you can help sensitize your employees and even your top-ranking CEOs to the threat of Whaling and phishing attacks by creating 100% safe, instructive fake-phishing attacks. Sign up for SecurityIQ today and try it out for yourself.