Although we don’t always consider it, cybercriminals often look for the most influential people within a company: senior executives. Why? Because they have access to critical information, handle large amounts of money, and, in many cases, are not as prepared in terms of digital security as they should be.
This is where whaling comes into play, a type of attack aimed at a company’s senior executives, who can approve millionaire transfers or access sensitive data without too many obstacles. And although it may not seem so, these attacks are more common than we think.
To combat this threat, solutions such as Qondar by Enthec help detect and prevent impersonation attempts and fraud targeting senior executives, strengthening the company’s security against attacks such as whaling.
What is whaling and how does it work?
The term whaling comes from the word whale. This attack targets influential company personalities, such as managers, CEOs, CFOs, and others with access to strategic information.
It consists of an advanced form of phishing in which attackers impersonate someone trusted by the victim to trick the victim into performing a harmful action, such as approving a transfer or sharing login credentials.
Criminals often employ several strategies:
- Spoofed emails. They develop spoofing techniques to make an email appear from the CEO, a trusted partner, or even an official body.
- Attacks man in the middle. They intercept communications between managers or employees to modify messages and obtain valuable information.
- Social engineering. They collect information from the victim on social networks or leaked databases to make their attacks more credible.
Unlike common phishing, which sends mass emails hoping that someone will fall for it, whaling is a personalized and well-crafted attack.
A real case of whaling
Imagine you’re the CFO of a company. You receive an email from the CEO asking you to urgently approve a €250,000 transfer to an account in another country to close an important deal. The message is well written, with the signature and tone that the CEO usually uses. He even has an answer above that seems authentic.
You will have fallen into the trap if you have no doubts and make the transfer without checking it by phone or via a second channel. Days later, you will discover that the CEO never sent that message and that the money has been lost in a network of accounts that are impossible to trace.
This is not science fiction: companies of all sizes have lost millions to these attacks.
The relationship between whaling and the man-in-the-middle attack
One of the most sophisticated methods cybercriminals use in whaling is the Man in the Middle (MITM) attack.
In this attack, hackers communicate between two parties (e.g., between a manager and an employee) and manipulate messages without the victims noticing.
How does a whaling attack work?
A whaling attack follows a meticulous process that can last for weeks. The most common phases are as follows:
1. Recognition and investigation of the victim
Attackers gather publicly available information about the targeted executive, such as their LinkedIn profile, press releases, media statements, and relationships with suppliers and partners. They may also use leaked databases available on the dark web to obtain credentials or personal data.
This information-gathering phase is critical; the more exposed the executive’s digital footprint, the more credible the subsequent attack will be.
2. Construction of the deception
Once they have enough information, the attacker constructs a highly convincing message. The most commonly used cyber whaling techniques include:
- Email spoofing: falsification of the sender’s address to imitate that of the CEO or other trusted official.
- Domain typosquatting: register domains that are almost identical to the corporate domain.
- Advanced social engineering: The message replicates the tone, vocabulary, and communication style of the supposed sender.
- Artificial urgency: Temporary pressure is created to prevent the victim from verifying the request.
3. Execution: the attack vector
The most common vector for whaling phishing attacks is corporate email, although an increase in combined attacks using the following methods has been detected in 2025-2026:
- SMS or WhatsApp text messages impersonating the CEO.
- Phone calls with a voice cloned using AI (deepfake voice).
- Fraudulent video calls using visual deepfake techniques.
This last point is especially relevant in 2026, as generative AI tools have put voice and video cloning within reach of any cybercriminal, raising the sophistication of whaling attacks to unprecedented levels.
You might be interested in learning more about-> AI risks to people’s online security.
How does a man-in-the-middle attack work in cybersecurity?
The attacker can:
- Intercept emails and modify content before they reach the recipient.
- Spying on network connections on public or misconfigured Wi-Fi networks.
- Spoofing websites to get the victim to enter their credentials on a seemingly legitimate page.
For example, an executive may send an email with payment instructions, but if there is a man-in-the-middle attack, the hacker can change the target bank account without anyone noticing.
In this case, whaling and the man-in-the-middle attack combine to make the scam even more difficult to detect.
How to identify a whaling attack? Warning signs
| Warning sign | Why is she suspicious? |
| Urgent transfer request via email | Time pressure seeks to prevent verification |
| The sender uses a slightly different domain. | Technique of typosquatting to confuse the receiver |
| Request for absolute confidentiality | Attempt to isolate the action of internal controls |
| The CEO is asking for something unusual outside of official channels. | Real executives use established channels and protocols |
| Request for credentials or access via email | No legitimate system requests passwords or access via email. |
| Last-minute bank account change | Classic tactics of BEC |
Keys to avoid a whaling attack
Fortunately, there are ways to protect yourself against these attacks. Here are some fundamental keys to avoid falling into fraud of this type:
1. Two-step verification is always on
If an email or message requests a transfer of money or sensitive information, verify it through another channel. A simple call or message can prevent financial disaster.
2. Avoid overexposure on social networks
The more personal information available about a manager, the easier for an attacker to forge a credible message. It is advisable to limit public information on LinkedIn and other platforms.
3. Implement security filters in emails
Whaling attacks usually come by email, so it is essential to have:
- Advanced email filters that detect phishing.
- Email authentication (DMARC, SPF, and DKIM) to prevent corporate email addresses from being forged.
4. Employ strict procedures for bank transfers
Transfers should not be approved by mail or message alone. Implementing double authorizations and strict protocols can prevent millions in losses.
5. Keep systems and devices up to date
Attacks exploit vulnerabilities in outdated software. Always keeping your computers up to date with security updates is critical.
Whaling is a dangerous attack that can affect any company, from small startups to large corporations. Most worryingly, it doesn’t require sophisticated malware: just social engineering, spoofing, and a good bit of deception.
If it is also combined with a man-in-the-middle attack, the risks increase since cybercriminals can modify messages without the victim noticing.
The best defense against whaling attacks is prevention: establishing verification protocols and implementing advanced cybersecurity solutions. Tools such as Qondar make it possible to identify and de-identify exposed personal information and fake social profiles, thereby preventing targeted attacks and protecting senior executives from fraud and impersonation attempts. Investing in security is not an option, but a necessity to avoid being the next victim.
