What is whaling?

Phishing is a category of attack that ranges from mass-distributed scam emails sent to millions of recipients, to precisely engineered messages crafted for a single individual. Whaling sits at the end of that spectrum where it’s not about volume but about value. The target is a senior executive, a CFO, a CEO, a board member, someone whose authority over financial systems, sensitive data, or organizational decisions makes a successful compromise worth far more than a thousand generic phishing attempts.

Whaling does not rely on malicious attachments or suspicious links that email filters can catch. It relies on social engineering, authority, urgency, and the deeply human tendency to comply with requests from people in power. CISA's joint phishing guidance, produced with the NSA, FBI, and MS-ISAC, identifies two primary phishing tactics:

• credential theft
• malware delivery

Whaling frequently operates outside both categories, weaponizing trust and organizational hierarchy rather than technical exploits. That distinction has direct consequences for how organizations build their defenses.

How whaling works

Whaling is a subset of spear phishing, which itself emerged around 2004 as attackers moved away from mass-mailed generic messages toward carefully crafted emails sent to specifically selected recipients. Miyamoto, Iimura, and Michishita's 2026 research traces whaling as a recognized concept to at least 2007, when incidents targeting executives were first reported. What separates whaling from broader spear phishing is the profile of the target, executives and other key decision-makers whose organizational authority makes them both attractive and dangerous to compromise.

The attack sequence follows a consistent pattern. An attacker identifies a high-value target, a CFO, a chief HR officer, a senior finance executive. They then conduct detailed research, drawing on publicly available information on LinkedIn profiles, company websites, press releases, earnings calls, social media activity, and news coverage. This open-source intelligence enables the construction of a highly personalized message. The attacker knows who the target reports to, what projects are underway, what language the organization uses internally, and what kinds of requests would seem routine coming from a senior leader.

The message itself is engineered to bypass skepticism. It uses the target's name, references real organizational context, and usually arrives with a sense of urgency that discourages verification. The request is usually financial, a wire transfer, a vendor payment, access to payroll data, or informational, seeking credentials or sensitive records. Unlike phishing emails that distribute malware through attachments, many whaling emails are plain text. They have no suspicious links. They have no attachments to flag. Standard email filters have no technical signal to act on.

Putra and colleagues' analysis of phishing attack trends documents how attackers "change the way they communicate to match their target's characteristics, occupation, and contact list to make their attacks invisible or harder to detect." Miyamoto and his colleagues note that this level of personalization creates a structural problem for traditional detection methods, which "rely on collecting large sets of phishing emails, extracting features from them, and training classifiers." Whaling emails, by design, do not conform to typical phishing patterns and are therefore likely to evade existing detectors.

The psychology behind why it works

Technical defenses alone cannot stop whaling because whaling is not just a technical attack. It is a psychological one. Burrell's research on the cyberpsychology of whaling identifies three interlocking psychological mechanisms that make these attacks effective, particularly in hierarchical organizations.

The first is authority bias, introduced by Tversky and Kahneman in 1974, which describes the cognitive tendency to attribute greater legitimacy to statements or requests from perceived authority figures. When an email appears to come from a CEO, recipients process it differently than they would an equivalent request from a peer. The perceived source triggers a compliance instinct that overrides normal skepticism.

The second is authority-obedience theory, derived from Milgram's obedience experiments, which demonstrates that people will follow directives from authority figures without question, even when those directives seem unusual. In organizational settings, this tendency is reinforced by hierarchy. Employees in universities, hospitals, and corporations are conditioned to respond to requests from senior leadership. Whaling attackers exploit this conditioning directly, impersonating the precise figures whose authority the target is already prepared to obey.

The third is cognitive overload and habitual compliance. Burrell's root cause analysis found that employees operating in high-volume communication environments frequently resort to routine responses, "assuming communications from senior officials were legitimate without thorough verification." When someone is managing a high email volume under deadline pressure, a request that fits the expected pattern of executive communication passes without scrutiny. The attacker does not need to defeat the target's judgment. They need only to arrive at a moment when judgment is already stretched thin.

Burrell's research also documents that social engineering accounts for an estimated 98% of cyberattacks globally, and that spear phishing is responsible for 95% of successful network breaches. The average enterprise faces more than 700 social engineering attempts annually, with average losses reaching $14.8 million for larger organizations. These figures are not a product of technical failure. They reflect the persistent effectiveness of attacks designed around human behavior rather than system vulnerabilities.

Learn more: The psychology of cyberattacks

Real-world consequences

The scale of losses in documented whaling cases shows why these attacks attract sustained criminal investment.

Snapchat (2015)

An attacker impersonating CEO Evan Spiegel sent an email to a member of the payroll department requesting employee payroll data. The request was fulfilled. Sensitive employee information was exposed. The attack succeeded not through technical intrusion but through a single email that exploited the recipient's deference to perceived executive authority.

Mattel (2015)

The toy manufacturer narrowly avoided a $3 million loss when a senior finance executive received an email from an attacker impersonating the company's new CEO and authorized a wire transfer. A bank holiday prevented the transaction from completing. The timing of the attack, during a leadership transition when a new CEO's communication patterns were not yet familiar to staff, was not accidental.

Serum Institute of India (2022)

Director Satish Deshpande received a WhatsApp message from what appeared to be CEO Adar Poonawalla's own number, instructing him to transfer money to several bank accounts. More than Rs 1 crore (approximately $135,000) was transferred before the company discovered that Poonawalla had sent no such message. The attack moved through WhatsApp rather than email, demonstrating that whaling is not confined to a single delivery channel. The company filed an FIR with Pune police under IPC sections covering cheating by personation and the Information Technology Act.

In all of these cases, the attacker researched the target and the organization, identified a trusted persona to impersonate, and constructed a request that fit within the target's expected workflow. No malware was deployed. No credentials were phished. The organizations were not breached through their systems. They were breached through their people.

The AI escalation

Generative AI has changed the cost and scale of these attacks in ways that make historical defenses inadequate for the current environment.

Heiding and colleagues conducted experiments on fully automated spear phishing using large language models to execute the entire process from target information collection to email creation and delivery. Their results revealed that AI-generated phishing emails achieved a click-through rate of 54%, comparable to the 54% achieved by human experts manually crafting messages, and higher than the 12% rate for generic scam emails. AI-produced target profiles were evaluated as useful and accurate in 88% of cases. The research confirmed that LLMs can improve the cost efficiency and scalability of attacks, enabling adversaries to target many victims with reduced effort.

Miyamoto and colleagues’ research on LLM-based whaling countermeasures confirms this: "The introduction of generative AI has diversified the ways in which phishing attacks are generated and has undermined a key premise of traditional pattern-recognition-based phishing countermeasures, namely that large numbers of similar samples can be collected." When every whaling email is uniquely tailored, pattern-matching defense loses its foundation. The research also found that of approximately 240 million fraudulent emails with identifiable sender information sent worldwide in May 2025, more than 80% targeted Japanese speakers, a pattern the authors attribute directly to generative AI's ability to produce natural-language text in languages previously associated with detectable "unnatural" phrasing.

What Paubox ExecProtect does

Paubox ExecProtect addresses the email-layer dimension of whaling defense by protecting executive-level email accounts from domain name spoofing, one of the primary technical mechanisms whaling attackers use to make fraudulent emails appear legitimate. The system detects when an incoming email uses a domain that mimics a legitimate organizational domain, blocking the message before it reaches the executive's inbox. For healthcare organizations managing HIPAA compliance, ExecProtect adds a targeted layer of protection for the accounts most likely to be exploited in a successful whaling attack.

FAQs

What is social engineering?

Social engineering is the use of psychological manipulation to deceive individuals into taking actions or disclosing information they would not otherwise share. Rather than exploiting technical vulnerabilities in systems, social engineering exploits human behavior, trust, authority, urgency, and habit.

What is spear phishing?

Spear phishing is a targeted form of phishing in which attackers research a specific individual or organization and craft personalized messages designed to appear legitimate to that recipient. Unlike generic phishing, which distributes identical messages to large numbers of people, spear phishing invests the attacker's effort into a single target or a small group.

What is business email compromise (BEC)?

Business email compromise is a category of fraud in which attackers use email, either a spoofed account or a genuinely compromised one, to impersonate a trusted individual and manipulate recipients into transferring funds or disclosing sensitive information.

What is domain spoofing?

Domain spoofing is a technique in which an attacker creates an email address or domain that closely mimics a legitimate one to deceive recipients into believing the message is from a trusted source. A spoofed domain might substitute a character, add a word, or use a different top-level domain, for example, replacing company.com with cornpany.com or company-finance.com.