Press "Enter" to skip to content

Whaling – A very modern security issue

Lenny Wood warns of a new cyber threat

The goal of whaling is to trick someone in to disclosing personal or corporate information


Someone is stealing your money. I do not mean the archetypal criminal taking your wallet in a crowded shopping centre. I mean highly trained, highly motivated cyber-criminals targeting your business and helping themselves to millions of pounds via spoofed email messages.

These highly focused messages target finance staff encouraging them to expedite a payment to a supplier that the Managing Director or Chief Executive cannot due to being away from the office.

This new phenomenon has been dubbed “Whaling” as the mark is one large target as opposed to “Phishing” which looks to de-fraud a larger number of smaller targets.

How is it done?

The attacker is able to intercept emails between companies and freely read their content. Over many weeks or even months the attacker learns how to impersonate the style and language of those sending and receiving the emails. The attacker is then able to send a bogus request for money including new bank account details for the transfer. As the attacker has lots of information about the target the request will appear to be genuine and money is very often transferred to the attackers account.

An attacker is able to successfully infiltrate a target as standard email has no way to verify the email address of a sender or recipient. This means that the displayed “to” or “from” name actually has no relation to the email address behind it.


Many medium and large size companies have been targeted by these attackers, losing over £520m between them since 2013. Snapchat is the latest high-profile victim, revealing employee payroll information to an unknown attacker.

As with any scam of this type, the goal of whaling is to trick someone in to disclosing personal or corporate information through various methods, most typically email correspondence.

The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the European Council and the European Commission intend to strengthen and unify data protection for individuals within the European Union (EU). It also addresses export of personal data outside the EU.

The primary objectives of the GDPR are to give citizens back the control of their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. When the GDPR takes effect it will replace the data protection directive (officially Directive 95/46/EC) from 1995.

The regulation was adopted on 27 April 2016. It enters into application 25 May 2018 after a two-year transition period and, unlike a directive, it does not require any enabling legislation to be passed by national governments.

In 2016, telecommunications company TalkTalk were fined £400,000 by the ICO for failing to prevent a cyber-attack that took advantage of technical weaknesses in TalkTalk’s systems.

The attack gained access to 156,959 customer records including names, addresses, dates of birth, phone numbers and email addresses. In 15,656 cases, the attack also gained access to bank account details and sort codes.

As whaling becomes a part of everyday business life, can your business afford not to take action to protect your business from this new threat?

Originally posted:

Business Info Magazine & Site is Published by Kingswood Media 2022