What is whaling?


Whaling is an email-based cybercrime that is closely related to phishing. Like phishing, its objective is to acquire money, data or other sensitive information by misleading targets into making transactions or indeed, using links and attachments to hack into business systems. Only got a couple of minutes? Check out our short Whaling Ask the Expert video below.

Here, however, it is the bigger fish – the whales – who are the focus.  Whaling attacks are increasing at an alarming rate and have risen 200% between 2017 and 2018 alone, with forecasts suggesting that this cybercrime will cost the global economy six trillion dollars by 2021.



Whaling Attack

Whaling imitates high-profile individuals over email to falsely authenticate a fraudulent request and increase the likelihood of follow-through. These emails typically contain requests for financial transactions, have a short deadline and override standard procedure. To make emails convincing, whalers take a sophisticated approach to preparation. They will:

  • Identify a target within a business that’s most likely to be trusted and complied with
  • Research compelling events that can be exploited, such as a new owner or supplier
  • Meticulously research targets and use their knowledge to imitate language style and personalise content. This is known as “social engineering”
  • Craft their request to appear legitimate and not unusual


Certain professions and positions are naturally at greater risk of whaling. Finance Directors and Finance Officers are particularly tempting targets for whaling attacks, due to their access to money and data, and their influence within a business.


Whaling Attack

As such, senior finance professionals suffer a double blow. They’re highly likely to be imitated – impacting company reputation – and equally likely to be targeted, resulting in potential revenue loss and personal consequence.



What is the potential damage?

If whaling emails are not correctly intercepted, FDs and CFOs can open the backdoor to the business to hackers, malware and spyware. The severity of attack dependent, this can have devastating consequences on business continuity and data protection. A successful whaling can also affect companies large and small in the following ways:


1. Bottom line and growth

Whalers are primarily interested in stealing or extorting money (although they may also target high-value data), and they’ll try for as much as possible. As such, a company’s bottom line can be significantly impacted – and growth hampered – as a direct result of financial theft. Associated recovery costs such as remedial action, legal fees or customer reimbursements can quickly inflate cost to the business.

2. Reputation and brand

Should word of a successful attack extend beyond the business’ four walls, customers, the public and those in your industry may lose confidence in your brand and choose to take their business elsewhere? People generally expect that modern companies have the technology and processes to prevent or manage cyber threats – if you fall short, trust and brand positioning will inevitability suffer.

3. Personal impact

Nobody wants to be branded as the cause of a successful cyberattack, particularly a senior finance professional. An FD or CFO’s judgement may be called into question, and respect of colleagues may be lost. There is also a matter of personal implication and possible investigation into wrongdoing, which risks a permanent stain on an otherwise good record.



How to minimise risk

1. Education from the top down

Make cyberthreat education part of company culture from the top down. It’s essential that senior management, more so those in key finance-related positions, are knowledgeable about whaling and how to combat it. For cyberthreats and their associated business risk to be taken as seriously as is deserved, the threat of whaling must be given a voice at board level. If those in senior finance positions fly the flag and set the example, others are more likely to follow suit. FDs and CFOs can make a meaningful impact by introducing training workshops and continual awareness training. Check out our free staff training presentation here.

2. Investigate specialist cybersecurity

Education can help halt whaling attempts that reach inboxes, but there is cybersecurity software on the market – such as email filtering – which can identify certain emails and prevent them from being delivered. This could serve as the first line of defence and be configured so that FDs and CFOs have more specific protection levels based on relevant keywords. We recommend booking a professional IT audit to identity weakness and match you with a cybersecurity product that assesses and intercepts threats in real-time.

3. Be mindful with social media

As we’ve discussed, whalers imitate influential colleagues, suppliers or leaders to get a result. And social media serves as a bountiful source of (frequently) unfiltered information, which can be exploited for convincing imitation. Be wary of the sensitivity of what you’re sharing – even if you consider it the day to day – and keep profiles private. It may be unremarkable to you, but of great advantage to a whaler looking to pose as a senior finance exec.

4. Get cyber insurance

Today’s inflated age of cyberattacks has increased demand for digital insurance products such as cyber insurance. As an FD or CFO, profit and loss and business planning are a key concern, and it’s sensible to have a specialist buffer in place to prevent cash haemorrhaging in the worst-case scenario. If requirements are met, cyber insurance can cover losses, reimburse customers and even provide PR support to help mitigate reputational damage. But it won’t completely diminish brand damage or negative press.


For information about how K3 can help you prevent a whaling attack, click here. For more great free cybersecurity resources, visit our Security Surgery. Or to chat with one of our advisors, contact us via email or call us on 0844 579 0800


by Tom Mercer

Customer Relationship Manager - MSP

A business technologies specialist for over 8 years, with unrivalled expertise in helping customers to maximise their business systems, hosted solutions and cybersecurity through support and account management.