Skip to main content

Call Me Ishmael – All About Whaling Scams

Back to the news

  • Published on: March 29, 2022

“Whaling” is the term for social engineering attacks masquerading as legitimate emails, which are designed to encourage senior executive victims to reveal sensitive information. Fraudsters and cybercriminals can use the extracted information to extort their victims, often deceiving them into providing even more confidential or personal data. Whaling attacks have seen a sharp rise and are expected to go up. According to the FBI, these attacks resulted in more than $12.5 billion in losses during 2021 alone.

The difference between whaling and phishing is that whaling exclusively targets high-ranking individuals within an organization.

Examples of Whaling in Action

The first step in a whaling attack is research. Attackers will try to use every resource they have to learn more about the people they want to impersonate and their work environment. They will check social network profiles, which are goldmines of information and insight that can be later used in their attack attempts to make them appear more legitimate.

The email addresses the criminals use will also seem authentic, and the message might include corporate logos and links to a fraudulent website that has been created to look real. The emails often sound urgent, usually asking people to quickly reply with certain information, open an attachment, pay an invoice, or enter personal information on a fake website. The information may then be used to enter networks, steal data, or install software that allows them to maintain access to the network and monitor communications.

Whaling Has Consequences

All sorts of future opportunities can be impacted because of whaling attacks, with consequences such as:

  • Financial Loss: If employees take the bait, it could result in cybercriminals stealing significant amounts of money. Of course, there is also the possibility of fines for data breaches and profit from potential customers lost.
  • Data Loss: Since cybercriminals are also trying to obtain data from a whaling attack, sending sensitive information to them is considered a data breach, which results in huge fines due to GDPR regulations.
  • Disruption: Dealing with the consequences of such an attack is not easy. Organizations will have to shift focus from making progress toward their goals to notifying customers and stakeholders about data breaches, taking security measures to ensure it won’t happen again, and recovering lost funds.
  • Brand Damage: No organization would enjoy the same level of trust from their customers and partners if an employee fell for impersonation fraud, especially if the result was a data breach.

So, What Can We Do?

The best way to protect VA from whaling scams is awareness. Here are some things to keep top of mind that can keep you safe from whaling:

  • Education: Everyone should know what social engineering attacks are and be able to recognize their signs.
  • Social Media Savvy: It’s best to keep all social media profiles private, enable multi-factor authentication, and verify every friend request that you receive.
  • External Emails: Spotting potential whaling messages might be easier if you flag all the emails sent from outside of VA’s network. Double-check any email that seems suspicious and use the “Report Phishing” button in Outlook to report all suspicious emails.
  • Confidentiality: If the message insists on keeping the information confidential, this could be a sign that it has come from an illegitimate source.
  • Urgency: If the message is trying to get you to act quickly, this can be a tell-tale sign of phishing or whaling; they want you to act without thinking or considering different options.
  • Drastic Consequences: Be suspicious if you’re given an ultimatum, such as the threat of legal action if you don’t transfer money immediately.

For more information and best practices on keeping yourself cyber-safe please visit:

Our commitment to digital and IT transformation is shaped by daily dedication to customer service and the close collaboration of our workforce, managers, and leaders. Ready to join us in improving Veterans’ care? Check out all current information and technology career opportunities on DigitalVA. You can also contact VA’s Office of the Chief Human Capital Officer at 512-326-6600, Monday thru Friday, 7 a.m. to 5 p.m. CST or by submitting a resume to

Share This Story


This page includes links to other websites outside our control and jurisdiction. VA is not responsible for the privacy practices or the content of non-VA Web sites. We encourage you to review the privacy policy or terms and conditions of those sites to fully understand what information is collected and how it is used.

Page last updated on March 29, 2022


An official website of the U.S. Department of Veterans Affairs

Looking for U.S. government information and services?

We’re here anytime, day or night - 24/7