Alessandro Mirani

Phishing is a well-known Social Engineering strategy, which consists of constructing emails containing malicious links and/or files in legitimate guise, i.e., containing images, references, fonts, and text that would lead one to believe they are such. Although it is a dated attack strategy and one that has been combated a great deal, especially through security education, it remains a popular technique. Indeed, we see new forms of phishing such as Whaling emerging. In this article we will delve into what Whaling consists of and what are the best techniques to defend against this type of attack.

Whaling consists of a phishing attack aimed at the executive organs, or at any rate the top officials, of a company. As the name suggests (literally whaling), compared to normal Phishing, which relies heavily on large scale and probability, Whaling relies on the precision of the attack: getting the maximum result from a single, carefully selected and researched subject.

There is, of course, no precise rule for the construction of Whaling attacks, but the essential steps, about which it is good to be informed in order to understand how to defend oneself, are 3: planning, reconnaissance and execution.

How Whaling is carried out: planning, reconnaissance and execution

A major investment bank, our competitor, is making an unexpected market move. Perhaps in anticipation of lower returns, or perhaps in anticipation of a major acquisition that was being speculated on. Knowing the reason behind this scelt, would assure us a competitive advantage. The easiest way to obtain secret information is, very often, to ask the right person in the right way. We know that the aforementioned investment bank involved at least three executives in the choice: the CEO, the CFO and the COO. It would be enough to have a conversation with one of these three pretending to be someone legitimately interested to have a chance of getting the information we want.

This is the first phase of whaling: planning. It involves figuring out who is the best target to attack based on two elements:

  • Ease of information discovery: which of the individuals considered left the most traces on the Web? How easily accessible is data on an individual’s occupation, habits, and contacts? The easier it is to obtain information about a person, the more appealing the target.
  • Ease of approach: how many publicly accessible channels can be used to contact a person? What and how many security measures filter out contact with agents outside the circle of acquaintances? An individual easily contacted through official channels is certainly an easier target than a person who relies solely on personal meetings to discuss business.

Once you have identified the best target for a whaling attack based on these elements, you can begin to construct the fictitious scenario with which to build the attack.

Reconnaissance is the phase in which, based on what was established in planning, information is collected to construct the fictitious scenario. The reconnaissance phase includes all public and non-public information gathering techniques. Please note that often malicious actors wishing to do spear phishing might make use of several attacks at this stage for the sole purpose of obtaining partial information that they can use to reconstruct complete information. For example, if we wished to have an individual’s phone number, and for some reason we could not get it from the Web or other sources, we might decide to construct a phishing email to send to several contacts we know in his or her circle for the sole purpose of inducing someone to give us this information. Composite attacks in the reconnaissance phase are not unusual, especially in social engineering, which is heavily influenced by information asymmetries: small thefts of information (which are difficult to trace and prosecute) can help in building large scams.

The last phase, execution, consists of the actual Whaling attack. An email, or a series of emails, in which an employee of the same company is impersonated. A call in which the name of a colleague or superior is reported to feign legitimacy. A fake chance meeting in a public place. These are all situations that can be created to impersonate fictitious characters who have the legitimacy to request, and obtain, sensitive information.

Now that you know a little more about how a Whaling attack is constructed, let’s also find out how to defend ourselves.

How to Prevent Whaling

As with any defense against social engineering, and scams in general, it is necessary to become accustomed to performing a number of additional steps, which could easily become a spontaneous habit, especially when handling corporate information.

Whaling, like Phishing, leverages the verisimilitude of constructed pretexts and the fallacy of human attention.

Two impregnable flaws that we can train, however.

  • Enforce all cyber hygiene rules regarding the privacy of the data you leave online. Check all social networks you own for exactly who the information is visible to, and make sure that all pages and services for which you provide relevant information are in compliance with privacy laws.
  • Get in the habit of checking the legitimacy of the information you receive. From notifications on your phone to emails in your inbox, always look for more of a legitimacy factor, especially in communications that impose urgency.

Always remember that the sender name shown in a mail does not necessarily correspond to the account used to send the email. To check the name of the account from which you received an email, place the mouse over the sender’s name and wait wual few moments, a text box will appear showing the full address, alternatively you can check the fields in full (mottente, ricevente, bcc etc.) which usually contain all the information in full. Use any site you know (here one you can trust provided by google) to check the headers of emails you receive. From the email headers you can get a lot of important information such as the ip address the email was sent from, the account that sent it, and the servers it passed through before it got to you.

Of course, it also checks the accuracy of the information communicated, the correctness of the language used, and the quality of the images and other employee elements to make the email graphically reliable.

These factors are easily replicated with extreme precision however, so what other shrewdness do you need to employ to recognize fraudulent communications?

The rule of common sense should always be applied: if you don’t expect to receive communications from your favourite courier, google, or facebook contact (even a trusted one), always ask yourself why that expectation was disregarded and in what way. Everyone likes to receive surprise messages and information, but asking what is in a link or attached zipper file before you open it never hurts, especially if you were not expecting to receive anything. Social engineering relies heavily on a sense of urgency or panic. Get in the habit of asking yourself if the communications you receive are primarily intended to trigger one of these feelings in you, rather than to inform you of something specific. A message from a trusted friend urging you to click on a link to gain access to watch a video in which you appear without giving you any context should, for example, raise three questions:

Why not tell me what exactly it is about if it is important?

Why ask me to access a link and not show me the video directly?

Why should I worry about appearing in a video if I know I haven’t done anything illicit in public?

The answer to the first two questions should make us suspect that communication is aimed solely at generating a sense of urgency. The third question should make us think that it is worth waiting and asking rather than clicking on the link.


Whaling is a much more effective strategy than simple phishing because it can rely on a better construction of fraudulent scenarios, notwithstanding the fact that the fallacies of human attention are not proportionally inverse to the importance of the position held in a company. This does not mean that you cannot influence the chances of success of a Whaling attack directed at you. Getting into the habit of validating with certainty all information coming through your device is easier and less challenging than it may seem. It is a workout for your mind that in the medium term might even help you save time and benefit in other areas of life.We are not the first in history to explore the virtues of absolute skepticism.

Leave a Comment