How safe is your CEO? A look at ‘whaling’ and ‘spear phishing’

Criminals are launching targeted online attacks against high-value individuals. What can they do to stay safe?

How safe is your CEO? A look at ‘whaling’ and ‘spear phishing’
How safe is your CEO

Johannesburg, 27 June24: Most cyberattacks are opportunistic. Much like a mugging on a dark street, it doesn’t matter who the victim is as long as the perpetrators gain something out of their crimes. However, a growing number of these attacks are designed to target specific people, such as CEOs, Directors, Board Members, CFOs, IT administrators, and wealthy individuals. Known as “spear phishing” and “whaling”, these attacks are designed to target a specific person and their circle of trust.

One of South Africa’s wealthiest individuals was recently the target of a “whaling” attack. Magda Wierzycka, founder and CEO of investment house, Sygnia, revealed that scammers had conned call centre agents at her insurance provider to hand over valuable personal information, including her home address, phone number, and ID number.

She’s not alone – the details of nineteen clients were stolen during that attack campaign. Nor is it an isolated phenomenon. In 2016, a Belgian bank lost over $75 million when criminals “whaled” the bank’s CEO. Money isn’t always the object, such as a 2021 attack on a UK rail operator where a criminal gang hijacked the director’s email account, using it to spam employees and media that they had successfully hacked the service.

Media reports are referring to these attacks as “whaling” and “spear phishing”. What specifically are these attacks? And who do they target? Could your CEO be next?

Spear phishing and whaling explained

“Spear phishing and whaling are very targeted attacks,” explains Gerhard Swart, Chief Technology Officer at cyber security company, Performanta. “Phishing is when you use impersonation to con a target, usually to get them to install dangerous software or give up sensitive information like passwords. This can also be called social engineering, though phishing typically happens over email, chat messages, or a phone call. Either way, it’s when someone impersonates a trusted individual so they can gain access to sensitive information or areas.”

Swart says that whaling and spear phishing are branches of phishing. “Spear phishing is targeted phishing. The criminals do research and design their attack to target a specific person. For example, they might fake correspondence from your child’s school to con you into giving up certain information. They might say they are updating their parent records, so can you please supply a new photo and your ID number.”

Spear phishing attacks typically target people with access to funds or sensitive information, and aim to confuse them into making a mistake, such as installing software that allows the criminals to spy on them, capturing details like bank profile numbers and passwords. Whaling is the same tactic but targets high-worth individuals.

“Here’s how to tell the difference. If an email pretends to be from someone it’s not but is very generalised, that’s phishing. If the email was designed to target a specific person by using details only applicable to them, that’s spear phishing. And if the person is being targeted for their wealth and assets, that’s whaling,” says Swart.

Who is in danger?

Phishing is a very common attack. According to the European Cybercrime Centre, 65% of attack groups use the tactic as their primary method. As online information on people becomes more available, criminals increasingly target wealthy individuals, high-level executives, employees with access to valuable data (such as finance, accounting, human resources, and IT departments), and individuals with privileged access, such as personal assistants and systems administrators. Certain industries, such as financial services, healthcare, and government agencies, are also preferred targets.

“The main thing to understand about spear phishing and whaling is that these attacks require more planning and preparation,” says Swart. “If someone has special access to systems and information, they are more likely to be a target. But the people around them can also be targets. Advisors, assistants, even people’s children have been targeted in attempts to get closer to the main victim.”

How can potential victims keep themselves safe from spear phishing and whaling attacks?

  • Know your risks: Every company should analyse its organisational chart and identify which people will most likely be targets. They should receive additional security training, and security systems should add measures to protect them. Their devices should also be subject to more stringent security features. People close to them, such as assistants, should also be considered for heightened security training and protection.
  • Be aware of urgent and demanding messages: The primary goal of phishing attacks is to get the target to respond without thinking, often by tailoring messages that sound very urgent and demand immediate action. Always take a moment and re-read the message, especially if it’s asking for information or to make a transaction. Don’t click on links or attachments inside emails demanding immediate action, and scrutinise supplied bank details for any changes.
  • Check the email address: If uncertain about a message, check the email address or phone number. Scammers often use addresses that look similar to official addresses but might be spelt differently or use punctuation changes.
  • Scrutinise strange requests from trusted accounts: Criminals might hack a trusted person’s communications, such as their email account, then send a request to their intended target. If you receive correspondence that doesn’t sound like the person claiming to send it, contact them via another channel to check if they sent it.
  • Get security training for yourself and others: Humans can be the weakest link in security. But we are often also the strongest defence because we can use awareness and common sense to spot an attack. Get training on security basics for yourself and the people you trust, which will significantly frustrate efforts to breach your circle of trust.
  • Invest in security services: Even if criminals manage some level of breach, integrated security can stop them. Invest in anti-phishing, threat-detection, and zero-trust services, which can flag strange messages and stop malware and ransomware infections from spreading.

One of the best ways to mitigate the risks of spear phishing and whaling is to work with a managed security service. This type of service provides a range of security systems, skills, and insights that integrate with business systems and help spot suspicious behaviour before it becomes damaging.

“I often tell clients to think of it this way: their business is not security, yet the business of online criminals is to find a way around security measures,” says Swart. “It’s always best to have a reliable and experienced security provider in your corner. We make it our business to study what the criminals get up to and then counter that. At the end of the day, they want a soft target. It’s our job to make them look elsewhere for their next payday.”


Performanta was founded in 2010 and has over 150 staff worldwide, including former CIOs/CISOs from large enterprises. It has a global footprint with a team of 80 analysts working in two SOCs, helping to secure customers across 50 countries, from offices in the United Kingdom, Australia, Germany, South Africa and the USA. Performanta offers a consultative approach to people, process and technology, focusing on security projects in line with adversarial, accidental and environmental business risk. With a holistic cybersecurity view, we understand the modus operandi of the perpetrator and accordingly build an intelligent defence mechanism to make customer environments less susceptible to attacks.

Press Contact:

Mantis Communications

Kerry Simpson

Tel: 079 438 3252

Email: [email protected]