Are Hackers Targeting Your C-Suite With Whaling Attacks?

phishing scams

Hacking is big money. It is estimated that profits shared among threat actors are around $3.5bn dollars. The biggest paydays through successful whaling campaigns that target c-suite executives.

Whaling attacks are a form of spear-phishing which falls under the broader umbrella of social engineering. It is also referred to as targeted phishing, The key difference is that spearphishing attacks target individuals within a company that have access to the most privileged information. 

CEOs are thought to receive around 57% of attempted whaling attacks. Other executives are also prey in whaling campaigns. Attacks against other vulnerable staff members are known as spearphishing and include IT professionals together with members of accounts teams and HR. 

Hackers use a variety of tricks to convince their targets to part with critical information. This may involve giving up login credentials, sharing sensitive information, paying an invoice, money transfers or exploiting vulnerable gateways in unprotected software or hardware on a business network.

In both spearphishing attacks and whaling attacks, threat actors use sophisticated techniques and a personalised approach. The decisive action is to impersonate a business partner or a member of your company to gain access to financial accounts or customer information that is sold for profit on the dark web.

Because whaling and spearphishing attacks are personalised, they can be harder to spot than random phishing attacks that frequently pop up in your inbox. 

Companies that fall victim to any type of data breach suffer a financial loss. Firstly, hackers may get away with money from your accounts, either because they accessed your bank account or they fraudulently persuaded a target to pay an invoice or money transfer. 

Data privacy laws also subject companies that fail to protect consumer data to a penalty – typically 2% of your firm’s global income or £20 million, whichever is greater. 

But the biggest losses are typically due to a loss of faith from the general public and investors. A data breach damages the reputation of the company which subsequently falls in share prices and the loss of customers that move to a competitor. Businesses that suffer a data breach can lose a massive 81% of their customers.  

How To Spot Whaling Attacks 

Whaling attacks are geared towards high-level executives. To disguise malicious intent, threat actors create a number of sophisticated methods that are designed to persuade a target to perform a specific action. 

The most simple form of attack, and the most common, is to embed a link that infects a device with malware when clicked. The malware will then perform other nefarious activity to gather information the hacker can use to access deeper accounts or disable your network (which is probably an attack conducted by a competitor.) 

The function of the malware depends on the type of virus. In whaling attacks, spyware and ransomware is the most used type of malicious code. Spyware can steal information from a device, and recover passwords that enable hackers to access protected files or accounts. Ransomware will shut your network down until you pay the ransom. 

Whaling attacks

Professional hackers that conduct whaling attacks put a lot of effort into making the attack highly customised. They will research the internet to gather as much intelligence about the company as possible and analyse social media accounts to learn about the individual target. 

The more information hackers collect about a company and high-value individuals, the likelihood of a successful campaign is higher. Accurate information makes the whaling attack appear as though it’s authentic. 

For example, if a hacker knows a company you use as part of your supply chain, they will create a replica invoice which, for all intents and purposes, appears to be a genuine invoice. If the individual that is responsible for paying the invoice believes the email is from a genuine source, they will pay the hacker. 

Real-life Examples of Spearphising Attacks

In 2015, a senior executive of The Scoular Company fell victim to an email scam that appeared to originate from the chief executive of its auditing firm. The fraudulent emails escaped the attention of the corporate controller who paid three instalments to a bank in China for the tidy sum of $17.2m. 

A similar whaling tactic was employed by threat actors targeting the CEO of Ubiquiti Networks. The chief of the networking technology fell victim to Business Email Compromise (BEC) attack. Hackers impersonated an employee to persuade the CEO to authorise a payment of $46.7 million. A Federal investigation discovered the attack came from an employee. 

Spearphishing tactics work in a similar way but the target is generally an employee and the email appears to be coming from a senior member of staff. The CEO of the aerospace parts maker FACC was dismissed after the company lost $56m after a spam email that appeared to come from the CEO was sent to an employee with instructions to release the funds for an acquisition project. The incident dropped the FACC into an operating loss of 23.4 million euros. 

In 2020, the co-founder of Levitas Capital, an Australian hedge fund, was the victim of a malware attack when he clicked on a fake Zoom link. The hackers used the malware to create fraudulent invoices in an attempt to steal $8.7m. Fortunately, the fraud was discovered and the hackers only managed to steal $800,000. However, the company went out of business due to damage to its reputation. (This is an example of how data privacy laws can destroy your company because of the obligation to report a data breach). 

Types of Whaling and Spearphishing Attacks 

Threat actors have various tactics and technologies to launch whaling and spearphising attacks. However, there typically comes a point when cybercriminals have to use non-tech strategies. The types of whaling attacks and spear phishing tactics are listed below:

Business Email Compromise (BEC)

BEC is probably the most common form of a whaling attack. These types of attacks require a lot of prior information about the target such as the bank your use, the firm you partner with, and as we saw with The Scoular Company case described above, your auditors or other parties which may authorise a payment. 

The wealth of information available in the public domain enables sophisticated hackers to gather a sufficient amount of intelligence on high-asset targets through social media, legal records and your website. It’s not beyond the scope of talented hackers to find a way past your anti-virus protection if they know which software you are using. 


The majority of any type of cyber attack starts with malware which can be downloaded onto a computer by clicking on a malicious link or by downloading a pdf, app or file that contains nefarious code. 

If hackers are successful in planting malware on your device, they may be able to steal your login credentials to all the accounts you access. Another method hackers use for breaking past logins is by deploying a strategy known as brute force. 

Using sophisticated technology are able to run thousands of password combinations per second. So if you have a weak password, the chances are that brute-force technology will get past it. 

Another type of malware known as “keylogging” records the keystrokes on your phone or computer to identify passwords. This is the digital equivalent of phone tapping. 

A non-tech method of accessing login credentials is called “shoulder surfing”. As the label implies, it involves someone looking over your shoulder.

Smishing and Vishing

Spearphishing attacks are not limited to emails. You may also receive attempts via SMS (Smishing) which prompts targets to click on a malware-infected link and also through voice commands; a phone call on your mobile or VoIP service in which you do not see the person’s face but only hear their voice. 

Vishing becomes even more sophisticated in that cybercriminals are using voice-changing software that can mimic the voice of the target. Bad actors can say anything they want and it will sound as though their target is giving the authorisation. 

Microsft 365 Intune security features

Given the sophisticated nature of whaling attacks, it’s clear that companies need to implement protocols that prevent cyber criminals from infecting devices with malware or impersonating senior executives and partners.

How To Identify And Defend Whaling Attacks 

As governments around the world introduce and enforce data privacy regulations, a data breach could put an end to the continuity of your business. And it’s well known that corporations employ hackers to conduct cyberattacks on their competitors. 

Implementing and promoting cybersecurity awareness throughout the firm is imperative for corporate entities operating in the digital landscape. A culture of cybersecurity prevention should start with senior executives – as the types of social engineering attacks they can fall victim to are the most sophisticated.

Cybersecurity Training for Executives

Senior management teams should receive ongoing cybersecurity training to ensure they know how to identify potential threats and take appropriate action to prevent mistakes. 

It’s also worth conducting random whaling exercises to test the protocols you have in place are effective and that C-suite executives are following them. 

Identify Suspicious Emails 

Email is a favourite vehicle for hackers. However, there are several defensive tactics you can use to identify malicious emails and prevent them from even reaching their target. 

Cybersecurity technology enables you to flag emails that arrive from external companies – regardless of whether the perceived sender is in your trusted contacts list or not. 

The technology includes a function that identifies similar email addresses that are not an absolute match. Whilst talented cybercriminals can design a page to look like it originated from a genuine sender, they cannot replicate an email address. 

Social Media Awareness Training

For whaling attacks to be successful, hackers rely on private information. One of the best online sources to learn about your target is social media. It is the minor details about your personal life that can make you believe an impersonator is actually the person they say they are. 

C-suite executives should be very careful about the type of information they divulge on social media networks. Small details such as hobbies, acquaintances, the places you visit and important dates can all be used to the advantage of hackers in a social engineering scam. 

Establish a Verification Process

The impersonation tactics deployed by hackers can easily be avoided by establishing a verification process before authorising the release of funds or other sensitive information. 

Bear in mind the various ways that hackers can access information. Assume they have eyes and ears everywhere. 

One strategy may be to have an in-person discussion, or video conference, about any larger transfer. That will establish that you are expecting an email but also wave a red flag if you receive an email without prior discussion. 

You may also want to include an administrative partner in the authorisation process so the payment is subjected to counter-assessment.

Implement Cyberattack Prevention Solutions

Clickable links and downloadable documents should be verified as safe before you click in them. Technology will do this for you to some degree. For example, Microsoft recently introduced a default setting in M365 that prevents you from downloading pdfs. 

However, it should be noted that cybersecurity antivirus solutions can only detect “known malware”. That basically means malware that has been used before. But sophisticated hackers targeting C-Suite executives with a whaling attack are more likely to be using a new code that anti-virus software won’t detect. 

Executives, therefore, need to know how to perform the eye test. 

  1. Hover your mouse over the link to make sure the URL can be trusted. If it looks suspicious, make follow-up enquiries to confirm its authenticity.
  2. Check the email of the sender. If there is any suspicion that the email address is not correct, follow the cybersecurity prevention protocol.

How Can Micro Pro Help To Prevent Whaling Attacks on C-Suite Executives

Micro Pro has more than twenty years of experience serving high-value executives in London. Our IT specialists are also strategists and think out-the-box when it comes to implementing cybersecurity measures. 

If you’re concerned about your existing cybersecurity defences, get in touch with our IT team in London. We are more than happy to discuss your concerns, assess your current set up and identify effective solutions. 

Share This Article

You Might Also Like...