Whaling: A Sophisticated Phishing Scam Targeting Company Executives

April 7, 2020

In this world, where technology makes our information easier to find, we’re all vulnerable to phishing attacks. That risk becomes infinitely greater when you are a business executive with a public profile. It’s essential to publicize your business online in order to grow; but, at what point does that put your entire company at risk for fraud?

Unfortunately, email phishing scams are becoming more sophisticated. One of these scams, called Whaling, is a new phishing attack against prominent CEOs. It occurs when a top executive at a company has his or her identity and email address compromised. Phishers manage to find passwords that match the ones used for work email accounts by looking through a combination of social media data and known account logins. This is yet another reason why it’s critical to use unique passwords for each online account.

Once into the account, the phisher orders employees to send funds or private company information to “their boss” using a recognizable email address. Whaling can be challenging to detect since many departments never have contact with company executives, so an email from “the boss” is often acted upon quickly.

Once someone clicks on a link or attachment in one of these phishing emails, it will either infect their computer with malware or take the viewer to a normal-looking page designed to convince that person to enter private information. Scammers use that information to gain access to email, bank, or other private accounts. The FBI suspects the Sony Pictures hack in 2014 began with Whaling emails sending malicious attachments to top-level employees who thought they were getting emails from other colleagues.

Thousands of new phishing attacks go out over the internet daily, so the most important thing you can do is listen to your gut. When something feels off, it probably is. However, the whole point of phishing is to get you to do something without raising alarm bells, so you need to practice skepticism even when everything seems fine. Generally, be reluctant to download attachments or click links, no matter who appears to have sent them—particularly now that attackers can send emails that look like they are from your colleague or even your bank*.

Experts agree that you need to scrutinize every unexpected email for suspicious characters, especially in the address it says it came from and any URLs. Also, take extra cybersecurity precautions by enabling multi-factor authentication whenever it is offered, using a password manager or other system to maintain strong passwords, and backing up your data to an external source.


Finally, if you receive a phishing email or text message, the FTC recommends you report it. The information you give can help fight scammers.

Step 1:  Forward suspicious emails to the Anti-Phishing Working Group at reportphishing@apwg.org. Forward suspected phishing text messages to SPAM (7726).

Step 2:  Report the phishing attack to the FTC at ftc.gov/complaint.


*Remember that TGB will never email you to ask for confidential information such as your account number, password, personal identification number (PIN), or social security number.  Beware of fraudsters trying to impersonate Texas Gulf Bank or other companies, charities, or government agencies. If you receive an email that appears to be from us soliciting any confidential information from you, DO NOT respond to the email;  CONTACT  us immediately.