Who are the targets of whaling attacks? Whaling attacks target C-level executives like CEOs, CFOs, and COOs, but also staff who have access to sensitive company data or finances.
These roles are chosen deliberately. The higher up you are, the fewer checks exist on your decisions. Executives can approve wire transfers, share sensitive data, and authorize transactions without requiring a colleague’s approval.
That is exactly what hackers are looking for when conducting a whaling attack.
To reach them, attackers use spoofing: faking the appearance of a legitimate email address, domain, or name, to impersonate someone the target trusts. This could be a legal authority, a B2B vendor, an IT or HR colleague, or even another executive.
The goal is always the same: to make the request indistinguishable from a real one.
How Whaling Works
A whaling attack starts with reconnaissance.
Attackers study their target’s role, communication style, and ongoing business activities before sending a single message. When they strike, the email looks and reads like it came from someone with authority.
What makes whaling particularly effective is that it exploits real context. Attackers don’t just fake an email address. They construct a believable situation around it.
In the Levitas Capital case, which is mentioned later in this article, the criminals didn’t simply ask for a wire transfer that is easily marked as suspicious.
They created a scenario where a legitimate third party appeared to be requesting a routine payment, complete with a convincing invoice. Nothing about it looked out of place.
This is where the danger compounds. If an executive’s email is compromised, attackers can monitor ongoing conversations, learn the exact language used, and time their move to match a real business situation.
They could also create an invoice that is pretty much duplicated from actual invoices in the executives inbox.
Whaling vs CEO Fraud
A lot of industry sources and official reports use whaling and “CEO fraud” interchangeably. Although they overlap, they are not the same thing.
Whaling targets a C-level executive, or other personnel in high positions of a company.
CEO fraud is a specific method of phishing, where the attacker spoofs the identity of a C-level executive to manipulate other executives, senior staff or employees into taking action.
It exploits the authority of the executive-to-employee dynamic.
So whaling is not always CEO fraud. A whaling attack can also come from an attacker impersonating an external authority. A government body, a bank, a regulator, or a legal firm.
The target in whaling is still always a high-value individual in a company or organisation, and the spoofed identity comes either from outside the company or inside through impersonation of a c-level executive.
The distinction matters: Whaling is not always CEO-fraud. And CEO-fraud can target anyone within an organization; not just high level executives or staff in positions of power.
Reporting on Whaling
It is tough to find accurate data on BEC and whaling that delineates between the two and gives actual figures.
Most reports use ”BEC” (Business Email Compromise) as the umbrella. But they often don’t break it down further by stating whether a C-level executive was impersonated to launch an attack, or if the C-level executive was the target.
Furthermore, Bitsight.com talks about whaling and the reason why whaling incidents often go unreported. This is easy to understand: companies often fear the damage to the their reputation after releasing such information.
However, through certain government regulations, certain companies and government agencies are forced to report cybersecurity incidents, including whaling. Furthermore, sometimes a company or organization is forced to come clean because the likelihood of it being leaked is big anyway.
With this in mind, we will review the example below, where an executive is the target of a whaling attack. In short, a pure whaling attack: not CEO Fraud. After that scenario we will look at CEO Fraud. There is often overlap between the two.
Kaspersky’s definition of whaling
When sites like Kaspersky mention whaling, they are primarily talking about the following scenario. But they also loosely include scenario 2 of the following section in whaling attacks.
It’s often a mix of both. A hacker impersonating a government offical targeting a C-level executive is whaling. But a hacker impersonating a C-level executive or another important employee to target a C-level executive in the same company is also considered whaling.
Scenario 1: An Executive Is The Victim (Whaling)
In 2020, Co-founder of Levitas Capital, Michael Fagan, received what appeared to be a legit Zoom invitation. Unfortunately, it was a link that immediately installed malware on the device and gave hackers access to Levitas’ email infrastructure.
That malware was installed was not immediately clear from the outset.
The hackers kept tabs and used the information at their disposal to make educated guesses and to create an elaborate phishing attempt.
Debevoisedatablog mentions it in detail:
On September 15, the cyber criminals posed as
a representative of the firm and emailed Apex,
the fund’s administrator, an invoice asking
Apex to transfer $1.2 million to a Unique Star
Trading account at ANZ, an Australian bank.
The administrator called Fagan to verify the
transaction, but he was at the gym and said he
would be in touch. The hackers – who now had
access to Fagan’s emails – sent one to Apex
approving the transfer. The $1.2 million was
sent the next day to the Unique Star account at
ANZ. Between September 16 and 26, almost
$800,000 was allegedly withdrawn from that
account by Muhammad Bhatti, the sole
shareholder of Unique Star, in 66 transactions.
A week later, the hacking party struck again, before the situation and how to handle it was clear with Levitas. On september 22, they sent another fake invoice which resulted in $2.5 million being sent to another account.
On september 23, Michael Fagan reviewed the bank accounts of Levitas, and noticed that about $8 million was missing. They were able to limit the damage somewhat: $7.5 million was recovered, but the money from the earlier incidents of $1.2 million and $800.000 were lost.
All of this lead to Levitas’ largest institutional client withdrawing, and they also canceled a planned $16 million investment.
What was fundamental in making this scam work is the following. The hackers:
- Succesfully phished the Co-founder
- Silently gained access to Levitas’ email system
- Educated themselves before they initiated the fraud
- Used the compromised email account of the Co-founder to approve transactions
The result? The fund shut down entirely afterwards.
Scenario 2: An Executive Is Impersonated to Then Target An Employee or Executive (aka CEO Fraud)
The following is an example of an actual real-world ”whaling” phishing email which was effective.
The business in question, The Scoular Company, lost a total of $17.2 million that was sent to offshore accounts. The attackers impersonated the CEO of the grain industry giant and targeted a senior accounting officer.
WEI publishes the contents of the email and details surrounding it. This was the whaling email:
”For the last months we have been working, in coordination and under the supervision of the SEC, on acquiring a Chinese company… This is very sensitive, so please only communicate with me through this email, in order for us not to infringe SEC regulations.”
To bolster legitimacy, isolation (only communicate with me through this email), and legitimacy (in order for us not to infringe SEC regulations) were used as you can see in the whaling email above.
To go even further, the recipient of this email even called the fake telephone number. In that phone call he was discussing the case with a fake accountant who was working with the hackers.
Who Are the Targets of Whaling Attacks?
Whaling attacks don’t cast a wide net. They are precise, researched, and aimed at people who can move money, access sensitive data, or open doors into an organisation’s systems.
According to IBM, the targets are specifically those who can authorise large payments or release sensitive information without requiring approval from others.
These are often:
- CEO’s
- COO’s
- CFO’s
- CTO’s
- Co-founders
- Certain staff of the IT-department
- Certain staff of the HR department
CEO’s As a Target
The CEO is the most commonly targeted executive in whaling attacks. The reason is straightforward: their position alone carries enough authority. They can often perform important actions themselves.
They can authorize or initiate six-figure wire transfers or approve payments.
Whether the CEO is impersonated or targeted doesn’t matter; either of the two often leads to the same result.
COO and Operation Leaders As a Target
The COO sits directly below the CEO and is responsible for the day-to-day running of the business. They oversee departments, manage internal workflows, and coordinate across the entire organisation.
That makes them a valuable target.
An attacker impersonating a COO can plant themselves into ongoing business operations.
A directive about a process change, an internal policy update, or an instruction to a department head: all of these carry weight when they appear to come from the person running daily operations.
CFO’s and Financial Personnel
CFOs are arguably the most valuable target. They have direct authority over wire transfers, payment approvals, and financial systems.
Kaspersky notes that whaling attacks frequently impersonate or target finance leaders specifically because they can approve large transactions independently.
Controllers, treasurers, and accounts payable managers are targeted too. A lot of the times these are senior financial personnel.
Basically: anyone whose job involves moving money may be targeted. The attack doesn’t need to reach the top if someone slightly below can authorise the same transfer.
HR Directors
HR is a less obvious target, but an equally damaging one.
Payroll records, tax filings, bank account details, national identification numbers, and employment contracts for every employee is what they manage.
Succesfully phishing HR personnel may lead to the information being sold, identity theft, tax fraud, and extortion, among others.
A single successful attack on HR staff can expose a company and extract extremely sensitive data.
IT Administrators
IT administrators are targeted for a different reason entirely. They don’t necessarily control money, but access.
If a hacker would manage to succeed in hacking one of the high-ranking IT figures in an organization, that would mean big trouble.
Because if the account hacked has high security clearance and permissions for lets say Microsoft 365, they could potentially change things that shouldn’t be changed.
For example: Email forwarding rules: Attackers set up silent forwarding rules so every email an executive receives is also sent to an attacker-controlled address. This type of setting can fly under the radar.
Multi-factor authentication settings: they add their own phone number or authenticator device as a trusted MFA method. Now even if the password is reset, they retain access.
Why Does It Target Them?
Every role on this list shares one thing: access.
Access to money, access to data, or access to systems.
CEOs and COOs have the authority to make decisions that are not questioned by anybody.
CFOs and financial staff can move large sums with minimal friction. HR directors hold the personal and financial details of every person in the organisation. IT administrators hold the keys to the infrastructure itself.
By the time most organisations detect the breach, the attacker has been inside for weeks.
They don’t rush. They watch, they learn, and they strike when the timing is right.
Whaling Phishing Is Also Known As
Whale phishing is also known as whaling, CEO fraud, executive phishing, spear phishing, and BEC.
These terms are not interchangeable, but there is significant overlap, largely because the industry has never agreed on a single definition.
Whaling is the most precise term: it describes an attack where the target itself is a senior executive. CEO fraud and BEC are broader categories that whaling falls under.
When you see these terms used interchangeably in the press or in security reports, they are usually referring to the same category of attack — just viewed from a different angle.
Is Whaling the Same as Business Email Compromise (BEC)?
BEC stands for Business Email Compromise. The FBI counts attacks as BEC when attackers use email to target anyone within an organization or company. So basically when anyone in an organization gets targeted via email for fraud purposes.
The FBI does not report whaling losses separately from BEC. Whaling incidents are counted within the broader $3.04 billion BEC figure from 2025. But because companies often don’t disclose whether a C-level executive was the direct target, the true share attributed to whaling specifically remains unknown and is often estimated.
So whaling is a part of BEC incidents, but definitely a smaller part. However, official reports as mentioned before, don’t distinguish whether the target was C-level or not. The biggest share of BEC incidents are attributed to spear-phishing: highly personalized messages that target someone within an organization, often employees.
As you can imagine, that does not take away from the dangers of whaling, and the ludicrous amounts of financial damage it does to a company.
When Whaling Attacks Succeed: Real Executives, Real Losses
This case is mentioned in public records. This is a great example of a succesful whaling attack and how it can trick people with a great pedigree, prestige and business accumen.
Moreover, very succesful and established companies fall for whaling.
Ibiquiti Networks Inc.
This article by CSOonline has a great breakdown of this whaling incident.
There are details about the fraud incident which happened in 2015. CSOonline states the following:
In its Form 8-K filings to the SEC the company stated it became aware on June 5th 2015 that it was the victim of a “criminal fraud”. It appears a member of staff in one of its subsidiary companies based in Hong Kong fell victim to what is known as a “CEO scam” or a “Business Email Compromise (BEC) attack.
Then they describe the methodology the hackers used:
“The incident involved employee impersonation and fraudulent requests from an outside entity targeting the Company’s finance department. This fraud resulted in transfers of funds aggregating $46.7 million held by a Company subsidiary incorporated in Hong Kong to other overseas accounts held by third parties.”
Cybercriminals Only Impersonate C-level Executives Like The CEO in Whaling Attacks: True or False?
False.
As stated earlier in the article, cybercriminals can impersonate C-level executives to target other C-level executives in whaling attacks. But that is more commonly known as CEO Fraud.
But it is not a prerequisite. Hackers can also impersonate banks, legal bodies, or any authoritative organization to target those executives: that’s still whaling.
At any rate, a whaling attack requires considerable amount of planning, effort, and research on part of the hacking team when targeting ”big fish.”
So the true definition of whaling is a bit iffy. But cybersecurity specialists often talk about phishing attempts targeting C-level executives as whaling.
But even then, how security agencies like Kaspersky define whaling differs from other authoritative companies in the industry.
For more information about how to prevent and avoid phishing, please read our comprehensive guide: How to Avoid Phishing Scams: A Step-by-Step Guide.
Leave a Reply