Threat Intel

What Is Whaling? The Executive-Targeted Phishing Attack

11 min read·Updated June 2026·CybersecurityBlue TeamThreat DetectionCCDL1 RelevantCCDL2 Relevant

In early 2024, a finance employee at the engineering firm Arup sat on a video call with people who looked and sounded like the company's chief financial officer and several colleagues. Every face on that call was generated. The employee, following what felt like a direct instruction from leadership, made 15 transfers totaling about 25.6 million US dollars before the fraud surfaced through a routine follow-up with headquarters. No malware ran. No firewall was breached. The attackers impersonated authority well enough that a trained professional acted on it.

That is whaling: a phishing attack aimed squarely at the people with the authority to move money and approve exceptions. It is the highest-value branch of social engineering, and it is getting harder to spot as attackers add cloned voices and deepfake video to what used to be email-only fraud.

This guide covers what whaling is, how it differs from regular phishing and spear phishing, the anatomy of an attack, the techniques attackers use, real losses, and how a blue team detects and defends against it. It is written for defenders who have to catch this before a wire leaves the building.

What is whaling?

Whaling is a highly targeted form of phishing in which an attacker impersonates or targets a senior executive to authorize a high-value action, usually a wire transfer, a sensitive data release, or a change to a payment account. The name comes from the size of the target: the "big fish" of an organization, such as a CEO, CFO, or board member.

The defining feature is who sits on each end of the request. The attacker either pretends to be the executive (using their authority to pressure a subordinate) or targets the executive directly (exploiting their broad access and approval power). Either way, the attack rides on rank. A request that would be questioned from a stranger gets actioned when it appears to come from the top.

Whaling is not a malware problem. It manipulates a person inside a real business workflow, which means no patch closes the hole and no signature catches it. The control surface is human judgment under the pressure of perceived authority.

Whaling vs. phishing vs. spear phishing

These three terms describe the same family of attack at different levels of targeting. The difference is who the message is written for.

Attack	Target	Personalization	Typical goal
Phishing	Anyone, mass-sent	None or generic	Credentials or malware at scale
Spear phishing	A specific person or team	Tailored with real details	Targeted credential or access theft
Whaling	Senior executives	Heavily researched, executive-grade	High-value approvals, wire fraud, data

Regular phishing is a volume game: send a million generic emails and a fraction of a percent will respond. Spear phishing narrows the aim to one researched target. Whaling is spear phishing pointed at the top of the org chart, where a single success is worth far more than a stolen consumer password.

Whaling also overlaps with Business Email Compromise (BEC). The distinction is direction. Whaling targets or impersonates the executive specifically. BEC is the broader category of fraud that compromises or spoofs any trusted business identity to redirect a payment. Whaling that impersonates a CEO to push a finance clerk into a wire is often counted as a BEC subtype, which is why the financial losses show up together in fraud reporting.

The anatomy of a whaling attack

Whaling · attack chain

No malware. Just authority, in sequence.

A whaling attack rides on rank. Each step is ordinary business until the wire clears.

01

Reconnaissance

Profile the executive and who controls payments.

→

02

Pretext

A confidential, urgent scenario that suppresses checking.

→

LURE + HOOK

Impersonated exec

Spoofed email, cloned voice, or deepfake video says: wire it now.

→

THE ACTION

Wire / ACH out

Payment clears normal rails with no alert, then cashes out overseas.

Defense · out-of-band verification One callback to a number on file, not a number in the email, breaks the chain before stage 4. A single check would have stopped the 25.6 million US dollar Arup transfers.

Whaling follows a consistent pattern, and knowing the stages is how a defender breaks the chain.

Reconnaissance. The attacker builds a profile of the target and the organization from LinkedIn, the company website, press releases, earnings calls, and social media. They learn who reports to whom, who controls payments, who is traveling, and when leadership is hardest to reach for verification.
Pretext. They construct a believable scenario: a confidential acquisition, an overdue vendor payment, a legal settlement that must stay quiet. The pretext explains both the urgency and the secrecy, which is what suppresses the victim's instinct to double-check.
The lure. A message arrives from a spoofed or lookalike executive address, or from a genuinely compromised mailbox. It carries authority, urgency, and a request that fits an existing workflow.
The hook. A direct instruction: wire this payment, change the bank details on this invoice, send the W-2 file, buy these gift cards. Increasingly the hook escalates to a phone call or video conference to "confirm."
The action. The target complies. The transfer goes out, the data is sent, the account is changed. Because the payment moves by wire or ACH through normal channels, it clears every upstream control without an alert.
Exfiltration and cash-out. Funds are routed through mule accounts and moved quickly, often overseas, before the fraud is noticed. Recovery after a few days is rare.

The whole point of defense is to break this chain before stage 5, because once the wire clears, the money is usually gone.

Techniques attackers use

Underneath the pattern, whaling reuses a recognizable toolkit.

Executive impersonation. A forged display name, a lookalike domain such as a CEO's name at a near-identical address, or a real account taken over after a credential theft. The closer the sender looks to legitimate, the less it gets questioned.
Authority and urgency. The two levers that define whaling. A request that appears to come from the CEO, framed as time-critical and confidential, pushes the target to act before verifying.
Pretext built on real events. Attackers time messages to real acquisitions, quarter-end, or an executive's known travel, so the request fits something the victim already half-expects.
Deepfake voice and video. The newest and most dangerous shift. Cloned voices authorize transfers over the phone, and generated video puts a fake executive on a conference call. The Arup case showed a multi-person video meeting in which every participant except the victim was synthetic.
Thread hijacking. From a compromised mailbox, the attacker replies inside a real, ongoing email thread, inheriting all of its trust and context.

The common thread for defenders: an urgent, confidential request to move money or release data, especially one that discourages normal verification, is the pattern to distrust no matter how senior the apparent sender.

What whaling costs

Whaling and the BEC fraud it feeds are among the most expensive categories of cybercrime, far out of proportion to the volume of messages sent. The attacks are rare compared to bulk phishing, but each success is large.

The FBI's Internet Crime Complaint Center (IC3) reported that business email compromise drove roughly 3.04 billion US dollars in reported losses in 2025 across about 24,768 complaints, an average near 123,000 US dollars per incident. The Arup deepfake fraud alone accounted for about 25.6 million US dollars in a single day. Two structural facts make these losses stick: the money moves by wire or ACH through legitimate payment rails, and the request comes wrapped in executive authority that discourages the one phone call that would stop it.

How to defend against whaling

No single control stops whaling, because it spans technology, people, and process. Defense has to layer all three, with the heaviest weight on process, because the attack targets judgment rather than software.

Process controls (the ones that actually stop the fraud).

Verify money and account changes out of band. Any wire request, payment-detail change, or sensitive data release above a threshold must be confirmed through a separate known channel, a callback to a number on file, not a number in the email. A single out-of-band check would have stopped the Arup transfers.
Require dual authorization for large transfers. Two people approving independently means one impersonated executive is not enough.
Define an exception policy. Make it explicit and safe that "the CEO asked me to skip the process" is itself the red flag, not a reason to comply.

Technical controls.

Authenticate email. Deploy SPF, DKIM, and DMARC so messages spoofing your own domain are rejected. A strong email security gateway also flags lookalike domains and external senders posing as internal executives.
Flag external and first-contact senders. A banner on messages from outside the organization, and on senders never seen before, breaks the illusion that a spoofed CEO address is internal.
Protect executive accounts hardest. Phishing-resistant MFA such as FIDO2 keys, tighter monitoring, and limited public exposure for the accounts attackers most want to take over.

Human controls.

Train leadership specifically. Executives and their assistants are the targets and need tailored awareness, not the same generic module as everyone else.
Make verification blameless. A finance clerk must feel safe pausing a CEO request to confirm it. Culture, not technology, decides whether that callback happens.

How a SOC detects whaling activity

This is the part vendor explainers skip. Most whaling lands as a clean email with no malware, so detection leans on identity and behavior rather than signatures.

Surface the impersonation. Build detections for display-name spoofing of executives, newly registered lookalike domains, and external senders using internal executive names. These fire on the lure itself.
Watch the mailbox. A compromised executive account shows tells: new inbox forwarding rules, logins from unusual locations, and replies to old threads at odd hours. Feed mailbox audit logs into the SIEM and alert on them.
Correlate with finance. The highest-value detections tie an unusual email to an unusual payment. A first-contact external sender followed by a vendor bank-detail change is a pattern worth an immediate hold.
Triage fast and verify out of band. When a whaling attempt is reported, confirm the real sender from the headers, scope who else received it, and trigger the callback process before any payment moves.
Contain and hunt. Purge the message, block the indicators, reset and re-secure any targeted account, revoke active sessions, then hunt for the follow-on activity an attacker would attempt across the environment.

The skill that matters most is reading a request in context: a header, a sender, and a payment workflow, and telling a real executive instruction from a convincing fake.

Frequently Asked Questions

What is whaling in cybersecurity?

Whaling is a targeted phishing attack aimed at senior executives such as a CEO or CFO, or one that impersonates them to pressure an employee. The goal is usually to authorize a fraudulent wire transfer, change payment details, or release sensitive data. It exploits executive authority rather than any software vulnerability.

What is the difference between whaling and phishing?

Phishing is mass, untargeted messaging sent to many people at once. Whaling is highly targeted at, or impersonating, a specific senior executive, using heavy research to make the request credible. A single successful whaling attack is worth far more than a typical phishing hit, which is why attackers invest in the personalization.

Is whaling the same as business email compromise?

They overlap. Whaling specifically targets or impersonates an executive. Business email compromise is the broader fraud category that spoofs or hijacks any trusted business identity to redirect a payment. CEO-impersonation whaling is usually counted as a BEC subtype, which is why their reported losses are tracked together.

How do deepfakes change whaling attacks?

Deepfakes extend whaling beyond email into cloned voice calls and fake video conferences, so a victim can no longer rely on hearing or seeing the executive to confirm a request. In the 2024 Arup case, an employee joined a video call where every participant except them was synthetic and transferred about 25.6 million US dollars.

How can organizations prevent whaling attacks?

The most effective control is out-of-band verification: confirm any large payment or account change through a separate known channel before acting. Layer that with dual authorization for big transfers, email authentication (SPF, DKIM, DMARC), banners on external senders, hardened executive accounts, and a blameless culture where pausing a CEO request to verify it is encouraged.

Who is the target of a whaling attack?

The target is either a senior executive directly, exploiting their broad access and approval authority, or a subordinate who is pressured by an attacker impersonating that executive. Finance staff, executive assistants, and anyone who can move money or release sensitive data are the most common downstream targets.

The bottom line

Whaling is phishing aimed at the top of the org chart, and it works because authority short-circuits scrutiny. It rarely involves malware. It involves a believable request from someone who appears to outrank the person receiving it, increasingly backed by a cloned voice or a deepfake video that defeats the instinct to verify by sight or sound.

The defense is not a better filter alone. It is process: out-of-band verification, dual authorization, and a culture that rewards the employee who pauses to confirm a CEO's urgent request. Technology narrows the funnel, but the attack ends where a person decides whether to make the call before they make the transfer.

Frequently asked questions