Cybersecurity Awareness: Whaling Attacks

“Phishing” uses fraudulent information in an attempt to obtain sensitive information and typically uses email or instant messaging. The intended recepient is deceived by the scammer through the use of trusted sender names (as the sender) and websites (in the message body). The user is directed to a fake website which asks for personal information as verification to proceed with a transaction. Once entered, the scammer has successfully collected the user’s identity.

“Spear-phishing” is a form of phishing that targets individuals. Spear phishing attacks target a specific victim and messages are modified to specifically address that victim.

“Whaling” attacks are a form of spear-phishing which target specific, high ranking victims within a company. Both spear-phishing and whaling take much more time and effort to execute than phishing attacks because of the need to gather personal details on their targets in an effort to legitimize the message.

An example of a whaling message may be something of the following. Assume that “John Doe” is a trusted high-ranking colleague with whom you, Jane Doe – – regularly communicate via their business address. For our example, John’s business address is normally


From: "John Doe" <>
To: "Jane Doe" <>

Are you available?

John Doe
Dean, Agricultural Systems
Oklahoma State University


Normally, this message might seem legitimate as we recognize and trust the sender, the signature line seems correct, there is no web link, and the sender simply asks for a response. The first thing – perhaps the only thing – that seems odd is that the return address is not their business email address. If we reply to this message, the scammer will know our email address is valid and we can be sure to receive a follow up message that will include a web link to a site that requests our credentials or we will receive an attachment that is contaminated with malware.

If we suspect the message is a whaling attempt, forward the message to the email address in your Contacts for this person. In our example, we would forward the message to This allows us to bypass a potential scammer and communicate directly with the purported sender.