What Is Spear Phishing?
Phishing attacks are usually broad and untargeted. They are sent to many people in the hope that someone will click a link, open an attachment or share sensitive information.
Spear phishing is more targeted. The attacker chooses a specific person or organisation, researches them and creates a message that looks relevant and credible.
This might be an email that appears to come from a known colleague, trusted supplier or company manager. It may include the right name, title, context or project reference. Because the message feels familiar, the recipient has fewer reasons to question it.
What Is Whaling?
Whaling is a form of spear phishing that targets senior decision-makers, such as CEOs, CFOs, board members or other executives.
These people often have access to sensitive information, financial approvals or important business decisions. That makes them valuable targets.
Whaling emails may impersonate lawyers, regulators, board members, suppliers or other senior colleagues. They often involve requests for payments, confidential documents, employee data or login credentials. The message is usually framed as urgent, confidential or part of a routine executive-level process.
How a Whaling Attack Unfolds
Understanding the anatomy of a whaling attack helps explain why they are so difficult to detect. Here is how a typical attack unfolds:
1. Research and target selection
The attacker starts by gathering publicly available information. This may include company websites, LinkedIn profiles, press releases, financial reports, event recordings or media interviews.
From this, they identify the right target and learn how the organisation communicates. They may look for reporting lines, supplier relationships, recent business activity or upcoming transactions.
In some cases, attackers may also call the company while pretending to be a client, partner or service provider to collect additional details.
2. Crafting and launching the attack
Using the information gathered, the attacker creates a message that fits the target’s real working context.
The email may include correct names, job titles, company details and a plausible reason for the request. It often asks the recipient to act quickly, such as approving a payment, sharing documents or entering credentials.
The goal is to make the request feel normal enough that the recipient follows the process without questioning it.
3. Using the result
Once the target responds, the attacker may gain access to money, systems or sensitive data.
In some cases, the incident is discovered quickly. In others, it may take months to identify what happened. IBM’s 2025 Cost of a Data Breach research found that, on average, organisations took 241 days to identify and contain a breach.
How AI is Changing Social Engineering
The Google and Facebook fraud relied on patient preparation, supplier impersonation and convincing invoices. Today, AI tools can make some parts of social engineering faster and more convincing.
A well-known example is the 2024 Arup case, where an employee in Hong Kong was reportedly deceived during a video call with AI-generated versions of senior colleagues. Around $25 million was transferred before the fraud was discovered.
This does not mean every organisation will face deepfake video scams. But it does show that visual and audio cues are becoming less reliable on their own.
A familiar face on a call, a recognisable voice or a well-written email should no longer be treated as proof of identity. For high-risk actions, process must matter more than instinct.
How to Protect Your Organisation
Having worked in IT and information security in the region for more than 35 years, we have watched the attack surface shift from technical exploits to human ones.
The defences that worked a decade ago still matter, but they no longer address the most expensive attacks. There is no single technological solution that fully protects against whaling. Because these attacks exploit human judgment rather than system vulnerabilities, the most effective defences are behavioural and procedural.
At an individual level
Before acting on any email requesting sensitive information or financial transfers, pause and verify through a separate channel – a phone call, not a reply email. Attackers often monitor compromised inboxes and can intercept responses.
Check the sender's email address carefully, not just the display name. A name can be spoofed easily; the underlying address is harder to fake convincingly. Similarly, hover over any links before clicking, and the visible text and the actual destination are often different.
Be particularly cautious with emails that create urgency. Pressure to act quickly and quietly is a common manipulation tactic designed to bypass rational judgment.
At a company level
Establish clear procedures for financial transfers and sensitive data access – requiring multi-person approval that no single email can override, regardless of its sender.
Implement two-factor authentication across systems and ensure that IT security training is conducted regularly and includes realistic simulations of phishing and whaling attempts.
Finally, define and enforce an information disclosure policy. The less publicly available information about your organisation's structure and processes, the harder it is for attackers to build a convincing profile.
Awareness is the first line of defence. Understanding how these attacks are constructed. Building processes that don't rely solely on individual judgment – is what separates organisations that recover quickly from those that take many months to discover a breach at all.
Final Thoughts
Whaling attacks work because they target trust, not only technology.
As attackers use more convincing emails, fake identities, voice cloning and deepfakes, organisations need procedures that do not rely on individual judgement alone.
Awareness is important, but it is not enough. The real protection comes from combining awareness with clear approval processes, secure communication channels and a culture where verification is expected.
If you want to strengthen your organisation’s protection against phishing, whaling and other social engineering risks, Baltic Amadeus can help assess your current practices and provide practical guidance.
These attacks will only grow more sophisticated as AI tools mature. If you'd like to discuss where your organisation's defences stand today, and what they should look like a year from now, get in touch.
