What Is Whaling? The Phishing Attacks Explained

Ever since digital communication hit the mainstream there have been odious people using it to try and take advantage of unassuming victims. Hacking, malware, spyware, ransomware — it feels like there's no end to these harmful scams. But perhaps the most common scamming method is phishing (per Norton).

Just about anyone (or even any company) with an email address can be, and probably already has been, a target. In general, phishing refers to emails and other forms of digital contact that have been designed to look like they're from a legitimate, trustworthy source when they're actually from a cyber attacker.

By impersonating someone or something official, attackers are sometimes able to trick their target into sharing personal information that can later be used to hijack accounts, steal money, run up credit card bills, and more. Some phishing emails will try to convince the target to download and open a file that's hiding some form of 'ware (malware, ransomware, etc.).

What is whaling?

Whaling — in the context of online scams, not the horrendous practice that was outlawed in the U.S. in the '70s — is much like phishing in that it involves tricking a target with a fraudulent message of some kind. Also, like phishing, this correspondence typically involves attempting to convince a target to share personal information, reveal company information that could be used for more attacks in the future, or even directly transfer money. The primary difference, and the reason it's called "whaling" to begin with, is who the scam targets.

Unlike phishing, which (for lack of a better term) usually involves proverbially casting a wide net by sending mass messages out to a large number of people in the hopes that one or two may respond, whaling is much more precise and is most often aimed at senior executives, CEOs, and other high-ranking positions in businesses and corporations (per Malwarebytes).

Because these attacks are much more focused, they can also be more difficult to catch in time. Attackers may send an official-looking email that appears to be from a trusted source at first glance, but they may also attempt to follow up on the fake email over the phone and then continue to pretend that they're working for that trusted source. Attackers sometimes even take to social media in an attempt to deceive their selected victim.

How to avoid whaling

You should always be wary of phishing scams, whether from email, social media, or over the phone. But unless you have a high-ranking job somewhere, your chances of becoming a whaling target are low. Still, never stop keeping an eye out for phishing and whaling attempts.

Regardless, much like with phishing, the best way to avoid a whaling scam is to pay close attention to where your emails, messages, and phone calls are coming from. This can be way more difficult under these circumstances since whaling scams tend to put a lot more time and effort into appearing legitimate.

Sometimes an email address or contact name may look correct, but it's actually ever-so-slightly misspelled or perhaps uses an underscore instead of a period. Maybe a call from a company you normally hear from appears to be coming from a new number. You could also receive a message from someone you work with, but their spelling or grammar doesn't look quite the same (per Investopedia). Also be extremely cautious if someone (a coworker, boss, client, etc.) is asking you for information or money in a way that's even a little bit suspicious.

If you're even the least bit unsure — especially if it involves sensitive information or money — take a little bit of extra time to double-check everything. Compare email addresses. Tell the caller that you'll call them back, and use the same number you've always used. Ask your coworker if they're for sure the one who sent you that email.

It may slow things down slightly, but it's better than the alternative.