What is whaling?
Whaling is a type of phishing attack that specifically targets high-level executives and decision-makers to steal money or sensitive information. These attacks focus on the biggest targets in your organization, like the CEO, CFO, and other C-suite executives, who have access to highly sensitive financial systems and the authority to sign off on large transactions.
These attacks work because they exploit how executives operate. Leaders often work odd hours, make time-sensitive decisions, and have unique communication patterns. Attackers study these habits and use them to their advantage.
Recent whaling attacks have made headlines and cost organizations serious money. In early 2025, Arup’s Hong Kong office fell victim to an AI-driven whaling scam. Deepfake video and voice clones of executives convinced a finance employee to transfer HK$200 million (US$25.6 million) to fraudsters.
Fun fact: The term "whaling" comes from the size and value of the target, similar to how historical whalers hunted the largest creatures in the ocean for their valuable resources. Modern cybercriminals use the same logic. Why target small fish when you can go after the whales with access to the biggest payouts?