Connect with us


How To Detect and Protect Your Business From Whaling Phishing

Last updated by



Is your business executive protected against whaling phishing?

While whaling cyberattacks are no more complex to prevent than regular phishing, they are often harder to detect. Spear or whaling phishing is more targeted insofar as the content is more sophisticated.

According to NCSC UK, the whaling phishing emails are more targeted and relevant to the email recipient.

For example, the email message may include personal details, so the recipient believes the email is authentic and the sender trustworthy.

Plus, the phishing email content may also use industry-specific jargon and knowledge of the business. Therefore all up the fraudulent email is harder to detect. With trust established, the recipient clicks a link or opens an attachment without further thought. Then worst happens – ransomware or a virus is installed on the desktop or device without the recipient’s knowledge.

This is how business data may end up being shared with the hacker that may include passwords which we all know when they fall into the wrong hands, it is never going to end well!

Why Is It Called Whaling Phishing?

In business, ‘whales’ are your executives, and they are particularly vulnerable to phishing. The most prevalent type of whaling phishing is for the stealing of credentials – login details etc.


PhishLabs in their recent blog post says two-thirds of spear-phishing emails to executives inboxes is for credentials theft. Where the email contents contain a link that the recipient clicks or an attachment the recipient opens.

51% of credentials theft is from emails sent to Microsoft 365 (0365). Therefore the simple solution is for executives to stop using O365, and this is happening if not by design but by need.

Since COVID-19 more executives are using their devices and the following email clients in order of popularity from this source:

  • Apple iPhone (38.9)
  • Gmail (27.2)
  • Apple Mail (11.5)
  • Outlook (7.8%)

The FBI’s Internet Crime Report 2020 is an interesting read.

Stolen funds from the cybercriminal activity was up in 2020 to $4.2 billion, with the lion’s share derived from phishing and similar activity.

Age Groups


Upper age groups also lost the most money, with the over 60s age group losing nearly $1 billion and the next group was 50-59-year-olds, and they lost just under $900 million. Arguably most business executives are in these two age groups.

After the USA, the UK is the next most targeted location.


Businesses need to have a multi-layered whaling security strategy. Moving away from Outlook is a smart move, but more security measures are required to keep business executives protected from falling victim to cyberattacks.


Make it compulsory for all your employees, including yourself, to do the online security training and regular refresher courses.

Often, the executive team misses out, and their subordinates take the course, but they fail to apply the measures and pass on the knowledge they’ve learned to keep their boss safe.

Social Engineering

What is social engineering, and what role doe it have in whaling phishing?

  • It’s the malicious attempt to trick you into revealing information that should be kept private
  • Following an email, it might be a phone call, and this catches many victims out as the call is not expected, so the request must be valid- right? No wrong. NCSC UK calls this: cyber-enabled fraud with a ‘real-world interaction
  • Mascarades as the victim’s close associates, business partners, with an email address so close only a very keen eye to detail will spot the difference between the fake email address from the authentic email address. For example, the difference between the two email addresses may be “-” instead of a “.” as in [email protected] vs [email protected]

Tech to Prevent Phishing

Training all your workers and executive in social engineering methods is worthwhile, as well as implementing security technologies to prevent phishing, including:

  • Website and email filters e.g. AVG or Symantec
  • Web isolation – e.g. Cloudflare

See this post for an explanation of browser isolation and how it works to protect your business from email phishing and passing on credentials.

Further Reading

Phishing is just one type of cyberattack, and all your staff from the top down need to be kept up to date with the latest cyber threats.

See this business blogs article on business network security threats and mistakes. Or this article on DDoS attacks.

We also have a good write up on how to ensure you have protection from identity theft and keep your identity safe when you are online.

Finally, here is an article for the upper management of your business – how to know if your staff are a cybersecurity risk.

Continue Reading