Skip to main content

Solutions for
Solutions by Industry


Our Story
Talk to a CIO

How to Spot a Scam: Whaling

What is “Whaling”?

Whaling is a highly targeted type of phishing. Instead of going for “small fish,” whaling attempts to scam individuals holding top positions at an organization. Scammers use elaborate social engineering tactics to pass off their communications as legitimate. In this email we’ll talk more about whaling, how to spot it, and how to protect yourself from such attacks.

What does a Whaling attack look like?

In the world of scam emails, Whaling emails often have the highest “production value.” Seeing as they are directed at top-level employees, the scammers need to be more detail-oriented in their approach. Compared to more general phishing emails, whaling attacks tend to do the following:

  • Use correct grammar usage throughout
  • Make less urgent, and more reasonable requests
  • Seem genuinely familiar with you/your organization

Some examples of Whaling emails:

Here we have a few examples provided by Eastern Kentucky University. Notice how in these emails the requests are not as forceful as others we’ve seen. If responded to, these emails will lead to the scammer requesting sensitive information or sending malicious software as an attachment.

Source of photos: Eastern Kentucky University

In each of these examples, a closer look at the email addresses shows that the messages are fraudulent. Scammers can easily “spoof” the name, setting it as “Michael T. Benson,” but looking at the email address we can see it’s coming from an odd email address. This is why it’s always a good idea to double check the sender’s email address.

Keep in mind that email applications do not always display the sender’s email address. If that is the case you will have to manually reveal it. How to do this will depend on the email client you use, but in most cases clicking the sender’s name will prompt it to show the actual address.

What can you do to protect yourself?

Like all the scams we’ve discussed, whaling can cause serious damage to an organization. In addition to the safety recommendations we’ve discussed for other types of phishing, here are some tips that apply especially to whaling attacks:

  • Be mindful about social media posts. Since whaling requires personal details, scammers often turn to social media for research. For example, in their article on whaling, Cornell University suggests waiting until you get home to post about traveling for work or vacation. Details about where you are and on which dates can be used to impersonate you more believably to coworkers.
  • Establish strict verification procedures. In this 2024 article from, they suggest taking time to create a plan to verify high value requests. For example, deciding in advance that high value fund transfer must be requested through two separate, trusted communication channels (e.g., a designated email and phone number).

If you are interested in learning more about how to to strengthen your cybersecurity processes, please call 818-832-2310 or email

That’s all…for now!

We hope you’ve found this information useful. We look forward to our next email where we will discuss “Smishing” and “Vishing”—phishing attacks that take place over text, call, and social media. Until then, stay safe!

Back to Latest Posts