What Is Executive Phishing? (How to Protect Against Whaling)

Phishing is costing companies billions of dollars but executive phishing can make these attacks more costly because of who the attackers are spoofing.

What is executive phishing? Executive phishing is a type of phishing attack where hackers impersonate executives via email and attempt to get employees to transfer money or private information to them.

What Are Spear Phishing and Whaling?

It’s hard to overstate how prevalent and effective phishing is as an attack vector. According to a report from Proofpoint, security professionals and businesses worldwide have reported that up to 83% of organizations reported suffering successful email phishing attacks in 2021. The same report shows that 79% of these organizations reported suffering spear-phishing attacks and 77% reported facing business email compromise attacks.

Hackers understand that the weakest link in cybersecurity is the human element. Unfortunately, this issue seems to be somewhat universal, as phishing attacks aren’t typically limited to mass mailings.

What, exactly, is executive phishing? Understanding this concept means understanding what phishing is and how it works.

Generally speaking, there are a few broad categories of phishing attacks:


Phishing is social interaction through email, text, or other communication methods that convinces the victim to provide sensitive information about their security, typically login credentials. These attacks vary in sophistication and effectiveness, but they’re relatively inexpensive delivery mechanisms and disproportionate payoffs for success mean that even small success rates can lead to massive security breaches.

Spear Phishing

A step up in sophistication from general phishing, spear phishing is a more narrow form of phishing that focuses on higher-profile targets, usually those ranked higher in organizations with (theoretically) more access and control to the IT system.


Whaling, whale phishing or executive phishing, is targeting top-level executives with phishing attacks to gain access to critical systems or trick them into transferring large sums of money.

As attackers move up the hierarchy, the general (and false) understanding is that phishing attacks become much harder to launch successfully. However, as security experts and executives are learning, sufficiently persuasive phishing attacks can convince many executives to part with information or money.

Consider the following examples:

  • Snapchat: A 2016 attack on the social media platform started with a fake email claiming to be from the chief executive officer fooling their HR department into providing private payroll information to the hackers.
  • Mattel: In 2017, a finance executive with the company received what they believed was an email from the new CEO requisitioning a massive financial transfer to a group of hackers. Mattel ended up losing almost three million.
  • FACC: Australian aerospace company FACC lost approximately $58 million when their CEO was victim to a phishing attack. He was fired shortly thereafter.

Executive phishing is a massive draw to sophisticated hackers because an executive can fall prey to false information as easily as any other employee.

What Are Some Types of Executive Phishing Attacks

Hackers target executives through more sophisticated means than general email spam. Coordinated attacks from different media and business accounts help them trick unsuspecting executives into interacting with fraudulent links or requests.

Some of the more common types of whaling attack vectors include the following:

  • Business Email Compromise: An executive may not necessarily respond to general emails pretending to be a third-party company. They often will respond to emails that appear to come from someone important within their own company or a partner organization.

BEC happens when a hacker spoofs or outright gains access to an email account and uses that to masquerade as a legitimate employee or executive. Other executives who aren’t on alert for potential phishing attacks may see any request originating from the account as legitimate.

Following this, the executive might take steps that would seem normal otherwise. However, unlike general phishing, the attacker may take advantage of the executive’s willingness to transfer money or fulfill fake invoices.

  • Invoicing: Alongside general BEC, hackers can lift branding and information from companies known to partner with enterprise clients and send fake invoices to executives in those companies. In many cases, if the companies work through invoicing, mainly through a digital platform where they can provide a fulfillment link, they can fool a financial executive working through end-of-month accounting.
  • Video Communication Platforms: Hackers have begun to leverage common software platforms to broaden phishing attempts, and these attempts are often more effective on executives due to their relative novelty.

Executives on a shared video platform like Microsoft Teams, Skype, or Zoom are easy to find if the hacker has access to the platform’s directory and can easily pretend to be someone else on that platform to request wire transfers or login credential confirmations.

  • Executive Social Engineering: A hacker with the right access doesn’t need to fool a single executive. They can leverage accounts to create compelling digital personas related to existing executive credentials that can trick several important members of an executive committee or their associated offices into gaining access to several layers of company infrastructure.

How Can I Protect Myself Against Executive Phishing?

Perhaps unsurprisingly, the best way to avoid executive phishing fraud is remarkably similar to preventing all phishing attacks. Awareness, IT modernization, and cultivating a culture of security and technical intelligence all play a part in prevention.

Some of the key areas to focus on to prevent executive phishing include the following:

  • Education: Everyone, including executives, must know how to avoid these attacks. This includes understanding how to see warning signs related to breached accounts, knowing what other executives will and will not ask for, and sharing information with other executives when suspicious activity is detected.
  • IT Warning Systems: Services like email can be configured to include warnings when emails come from outside the organization or from specific domains. These warnings can help recipients, including executives, pause before completely believing in a fake email.
  • Robust Identity Proofing and Authentication: While identity proofing and authentication aren’t enough to prevent all phishing attacks, they can make it much harder for hackers to leverage low-hanging fruit. No identity system can stop an executive from transferring money if they want to. Still, it can prevent hackers from accessing executive accounts when they lack necessary credentials related to multi-factor authentication or identity proofing.

Fight Executive Phishing with Strong Identity Management

Few personnel have the same level of access as a CEO, which makes it much harder to prevent executive phishing. However, your organization can ensure that access, identification, and authentication can all play a role in preventing the spread of phishing attacks.

1Kosmos provides the right combination of multi-factor authentication methods (including biometrics), decentralized identity management, and user experience to promote real identity and authentication services that can prevent phishing attacks. Some of the features supporting this include the following:

  • Identity Proofing: BlockID includes Identity Assurance Level 2 (NIST 800-63A IAL2), detects fraudulent or duplicate identities, and establishes or reestablishes credential verification.
  • Identity-Based Authentication: We push biometrics and authentication into a new “who you are” paradigm. BlockID uses biometrics to identify individuals, not devices, through identity credential triangulation and validation.
  • Interoperability: BlockID readily integrates with a standard-based API to operating systems, applications, and MFA infrastructure at AAL2. BlockID is also FIDO2 certified, protecting against attacks that attempt to circumvent multi-factor authentication.
  • Cloud-Native Architecture: Flexible and scalable cloud architecture makes it simple to build applications using our standard API, including private blockchains.
  • Privacy by Design: 1Kosmos protects personally identifiable information in a private blockchain and encrypts digital identities in secure enclaves only accessible through advanced biometric verification.

If you’re looking to shore up your authentication and identification systems to prevent hacks, phishing, and whaling attacks, then learn more about the topic with our Secure Workforce Access and Strong Identity Proofing Webinar. Also, sign up for our newsletter for updates on 1Kosmos products and services.

FIDO2 Authentication with 1Kosmos
Read More
Meet the Author

Robert MacDonald

Vice President of Product Marketing

Robert is the Vice President of Product Marketing at 1Kosmos. He is a highly influential senior global marketer with more than 15 years of marketing experience in B2B and B2C software in the biometric authentication space. Prior to 1Kosmos, Rob managed product strategy and vision for the Identity and Access Management portfolio at Micro Focus, leading a team of product marketers to drive sales and support the channel. Earlier in his career he set the foundation for content planning, sales enablement and GTM activities for ForgeRock. He has also held senior marketing positions at Entrust, Dell, Quest and Corel Corporation.