Connect with us


How To Detect and Protect Your Business From Whaling Phishing

Last updated by


cyber attacks prevention

Is your business executive protected against whaling phishing?

While whaling cyberattacks are no more complex to prevent than regular phishing, they are often harder to detect. Spear or whaling phishing is more targeted as the content is more sophisticated.

According to NCSC UK, the whaling phishing emails are more targeted and relevant to the recipient.

For example, the email message may include personal details so the recipient believes the email is authentic and the sender trustworthy.

Plus, the phishing email content may also use industry-specific jargon and knowledge of the business. Therefore, all up, the fraudulent email is harder to detect. With trust established, the recipient clicks a link or opens an attachment without further thought. Then, the worst happens – ransomware or a virus is installed on the desktop or device without the recipient’s knowledge.

This is how business data may end up being shared with the hacker, which, including passwords, which we all know when they fall into the wrong hands, will never end well!

Why Is It Called Whaling Phishing?

In business, ‘whales’ are your executives and are particularly vulnerable to phishing. The most prevalent type of whaling phishing is for stealing credentials – login details, etc.


PhishLabs, in their recent blog post, says two-thirds of spear-phishing emails to executives’ inboxes are for credentials theft. The email contains a link that the recipient clicks or an attachment the recipient opens.

51% of credentials theft is from emails sent to Microsoft 365 (0365). Therefore, the simple solution is for executives to stop using O365, which happens not by design but by need.

Since COVID-19, more executives are using their devices and the following email clients in order of popularity from this source:

  • Apple iPhone (38.9)
  • Gmail (27.2)
  • Apple Mail (11.5)
  • Outlook (7.8%)

The FBI’s Internet Crime Report 2020 is an exciting read.

Stolen funds from cybercriminal activity increased in 2020 to $4.2 billion, with the lion’s share derived from phishing and similar activity.

Age Groups

Upper age groups also lost the most money, with the over-60s age group losing nearly $1 billion, and the next group was 50-59-year-olds, who lost just under $900 million. Arguably, most business executives are in these two age groups.

After the USA, the UK is the following most targeted location.


Businesses need to have a multi-layered whaling security strategy. Moving away from Outlook is smart, but more security measures are required to protect business executives from falling victim to cyberattacks.


Make it compulsory for all your employees, including yourself, to do the online security training and regular refresher courses.

Often, the executive team misses out, and their subordinates take the course, but they fail to apply the measures and pass on the knowledge they’ve learned to keep their boss safe.

Social Engineering

What is social engineering, and what does it have in whaling phishing?

  • It’s a malicious attempt to trick you into revealing information that should be kept private.
  • Following an email, it might be a phone call, and this catches many victims out as the call is not expected, so the request must be valid- proper? No wrong. NCSC UK calls this cyber-enabled fraud a ‘real-world interaction
  • Mascarades, as the victim’s close associates and business partners with an email address so tight that only a keen eye for detail will spot the difference between the fake and authentic email addresses. For example, the difference between the two email addresses may be “-” instead of a “.” as in [email protected] vs. [email protected]

Tech to Prevent Phishing

Training all your workers and executives in social engineering methods is worthwhile, as well as implementing security technologies to prevent phishing, including:

  • Website and email filters, e.g. AVG or Symantec
  • Web isolation – e.g. Cloudflare

See this post to explain browser isolation and how it protects your business from email phishing and passing on credentials.

Further Reading

Phishing is just one type of cyberattack, and all your staff from the top down need to be updated with the latest cyber threats.

See this business blog article on business network security threats and mistakes. Or this article on DDoS attacks.

We also have a good write-up on ensuring you have protection from identity theft and keeping your identity safe when you are online.

Finally, here is an article for the upper management of your business – how to know if your staff are a cybersecurity risk.