Whaling …..another sophisticated social engineering technique….

As we all are aware (I am hoping this to be true), Social engineering is the technique, wherein the hackers exploit the human psychology, tricking people to get access of sensitive information. As we try and do our best to prevent these attacks, bad guys keep changing techniques as well.

In simple terms, Whaling is a type of spear-phishing. But, before getting any further, getting clarity these techniques makes sense (at least from this article perspective).


  • PHISHING – Use embed links that redirect users to suspicious websites with URLs that appear legitimate for getting access to personal(more so financial) information. In many cases, such attacks include fear and a sense of urgency to manipulate the user into acting without wasting time.
  • SMSHING – Using SMS for getting access to sensitive information. The test message usually asks user to call a phone no. The phone number is often answered by an automated response system.
  • VISHING – Using phone call for getting sensitive information. The voice call creates a sense of urgency for the user to take action and extracts sensitive information.
  • SPEAR PHISHING – Spear phishing attack is targeted and sophisticated. Such attacks often appear to be from someone known like a colleague, a family member, a friend or even your bank associate.
  • WHALING – Spear fishing attack that targets high profile executives having access to highly valuable information. Whaling is generally more difficult to detect than standard phishing attacks, as these attacks often do not use malicious URLs or attachments. Instead, the bad guys research the company (and their high profile executives) to fish out critical information about the target. Thereafter, the email is crafted in a way that seems very much legitimate to the recipient. A successful attack depends on convincing the target of the message authenticity. Some of this information is also available through public sources such as business directories, reducing the hard-work of bad guys.

By implementing the basics and using common sense, many of such attacks can be prevented. Some of the prevention steps are as below:

  • Security awareness for complete staff, including executives.
  • Phishing simulation exercises to test the awareness levels.
  • Implement Role based access control in line with the employee access requirements.
  • Separation of duties with respect to access to sensitive financial information.
  • Refine Incident management process and be ready to deal with such scenarios.

By:- Sapan Talwar