What is whaling?

Just like actual fish, targets of phishing messages can come in all shapes and sizes. Even though anyone can receive phishing scams, there are some targets that could give a bigger payoff. They are what cyber criminals call whales: important, high-profile individuals like CEOs or other senior executives who are at a higher risk of phishing attempts due to their position. (We know, we know. A whale technically isn’t a fish. Just go with it.) "a whale, with envelopes and cringe face emojis"

Whaling attacks impact many Canadian companies each year. Here’s what you need to know to protect yourself, or the whale in your life, from falling for one.

Phishing, spear-phishing and whaling

For some reason, the world of cyber security is filled with oceanic metaphors, and it’s easy to get them mixed up. So, let’s clear the air (or water?) about what we’re talking about today:

Phishing is a type of cyber attack that uses emails, SMS (“smishing”) or other direct messaging to trick the recipient into sending sensitive information by pretending to be a legitimate source. Phishing attacks can result in anything from losing an account to having your money or identity stolen.

Spear-phishing is a specific type of phishing attack that uses targeted information made to sound like it’s coming from someone the recipient knows personally, like a co-worker.

Whaling is a type of phishing attack specifically aimed at a high-profile target, like a senior executive or a high-ranking government official. Since these types of targets are more likely to have access to confidential information, the stakes can be much higher than a generic phishing attempt.

Defending against whaling

Protecting yourself from a whaling attack isn’t all that different than protecting yourself from phishing attacks in general. But because the stakes are higher, cyber criminals are putting more work into these messages to trick you. So a phony message might be a little harder to spot.

Before acting on any message, stop and review it for signs of phishing:

  • Does the sender’s email address match who they say they are? Are there any extra letters or numbers in the address or domain name?
  • Does the formatting of the email seem incorrect? Are there spelling or grammar errors that you wouldn’t expect the sender to make? Small inconsistencies can tell you a lot about the legitimacy of a message.
  • Is the email using threatening language or asking you to do something right away? A false sense of urgency is a telltale sign of a phishing attack.

As a high-profile individual, there is likely more information on the internet about you than you might realize. Don’t be tricked by emails wishing you a happy birthday, asking how your vacation was or how your spouse is doing — personal information is not necessarily a sign of a safe sender.

If you’re ever unsure whether a message is legitimate or not, reach out to the sender via another method, like a phone call. It might seem like a pain at the time, but it could save you a lot of time and money in the long run.

Trust in your team

Any business is only as secure as its least cyber safe employee. Making sure employees at all levels are trained to spot a phishing attack is an essential part of keeping company secrets a secret.

If you have an executive assistant, they should be trained on how to identify phishing and whaling attempts as well. They’re your first line of defence in not falling for a phishing attack.


Phishing scams aren’t all about inheritance from foreign royalty and contest or lottery winnings. Sometimes, like with whaling, they’re a lot more subtle and difficult to spot. That’s what makes them so dangerous, and why you and your employees need to stay vigilant and keep an eye out for signs of phishing.

Phishing scams can happen to anyone — even to tech-savvy people or companies. Make sure you understand how cyber scams work and how you can spot the signs of a phishing campaign so you can keep yourself, your reputation and your organization safe.


Report a problem on this page

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Please select all that apply:

Thank you for your help!

You will not receive a reply. For enquiries, please contact us.

Date modified: