Whaling

Threats ⚠️ • Social Engineering 👥 • Sec+ Glossary 📖 • Security+ 02 • Difficulty: free

What is Whaling?

Whaling is a highly targeted form of phishing aimed at senior leaders or other high-value individuals, usually to steal sensitive information, gain privileged access, or trigger high-impact business actions such as payments or data disclosure.

Examples

An attacker impersonates outside legal counsel and sends a confidential acquisition-related request to a CEO.
A finance director receives a carefully written email that appears to come from the chief executive and pressures them to approve an urgent wire transfer.

Discover 🔎

Some phishing attacks aim broadly and hope that anyone will respond. Whaling is much more selective. Instead of trying to fool a large number of ordinary users, the attacker focuses on people whose access, authority, or information makes them especially valuable targets.

Senior executives, board members, founders, senior finance staff, and other decision-makers are often attractive because they can approve money movement, access sensitive information, influence staff quickly, and open doors to the rest of the organization. One successful compromise at that level can have consequences far beyond a single inbox.

Remember: Whaling is targeted phishing aimed at big fish—people whose position gives the attacker unusual leverage if the deception works.

Summary 📝

Whaling is a highly targeted form of phishing aimed at senior leaders and other high-value individuals whose authority, access, and visibility make them especially useful targets. It succeeds by combining research, credibility, timing, and the natural pressure surrounding executive decision-making. Strong defense depends on protecting executive accounts well and making sure high-impact actions still require independent verification.

Open the interactive lesson Browse more topics

Tip: The interactive version includes progress tracking, decks, and premium deep dives.