In 2015, someone sent a single email to a finance executive at Mattel. It looked like it came from the company's brand-new CEO, who'd been in the chair for a few weeks. The ask: sign off on a $3 million payment tied to a Chinese acquisition. She approved it. The wire went out that day. Mattel only got the money back because the transfer happened to land on a Chinese banking holiday — pure luck bought the window to reverse it before the funds cleared.

No malware. No link. Nothing for a filter to flag. The email worked because whoever wrote it understood the texture of a leadership transition — the flux, the unfamiliarity, the way a brand-new CEO's requests don't yet have an established pattern to compare against. That's the case study the industry still teaches when it explains what whaling is.

Eleven years on, whaling hasn't gone anywhere. If anything it's gotten worse, and stranger. A finance employee at a multinational firm — this was reported widely in 2025 — joined what he thought was a routine video call with his CFO and a handful of familiar colleagues. He'd already flagged the original email request as off. But on the call, he saw the faces he expected. He heard the voices he expected. He authorized the transfer. Every single person on that call except him was a real-time deepfake, generated from public audio and video. Roughly $25 million walked out the door in the time it takes to run a status meeting.

That's the trajectory worth paying attention to. Our 2026 incident data tags whaling as increasing, and not because attackers found some clever new trick. It's because whaling has quietly become the entry point for something bigger — a chain that runs through AiTM phishing, voice cloning, video deepfakes, and account takeover, and every link in that chain starts the exact same way: convince one well-resourced person you're someone they already trust.

What follows is a breakdown of how these campaigns are actually built, why executives have become the preferred doorway into AiTM and account-compromise chains, what the regulatory floor now expects of organizations that get this wrong, and what it actually takes to build detection that reasons about intent instead of just matching signatures.

What Whaling Actually Is, and Why the Old Definition Doesn't Cover It Anymore

The textbook version hasn't changed much in a decade: a highly targeted spear-phishing attack aimed at senior executives and board members, people whose authority makes a single successful deception worth a lot of money. What's changed is who counts as a target, and what the attacker is actually trying to walk away with.

The old model went straight at the CEO or CFO. Ask them to authorize a transfer, or hand over information, done. The 2026 version casts wider. Executive assistants are now just as valuable a target — sometimes more so — because compromising an assistant's inbox hands an attacker a legitimate-looking platform to speak as the executive without ever touching the executive's real account. Helpdesk staff are targeted too, directly, because a convincing phone call to IT support can produce account access without a single email ever being sent.

The goal has shifted as well. Whaling used to exist almost entirely to extract one fraudulent wire. Increasingly it exists to get a foothold. A whaling email that harvests an executive's credentials — or talks an assistant into clicking through a calendar invite — can become the opening move in an AiTM session that captures a live authentication token after MFA has already cleared. Once that happens, nobody's impersonating the executive from the outside anymore. The attacker is inside, wearing the executive's actual, authenticated identity like a coat that fits.

The Pattern Behind These Campaigns

Pull apart enough documented cases and a structure emerges. It holds up regardless of industry or company size.

• Watch: deep reconnaissance on the target executive — LinkedIn, earnings calls, conference talks, SEC filings, company press releases — building a behavioral and biographical profile.
• Harvest: gathering specific, current operational details — an upcoming acquisition, a leadership change, a board meeting, a travel schedule — that become the pretext.
• Assume: building the impersonation itself, whether that's a lookalike domain, a hijacked colleague's inbox, or a cloned voice.
• Lure: a low-stakes first contact meant to establish trust before any actual request gets made.
• Exploit: the real ask — the transfer, the credential reset, the document — delivered once the attacker judges trust has been sufficiently built.

None of this is complicated. What makes it dangerous is the patience. Real campaigns run for weeks, not minutes, because an attacker who escalates too fast recreates exactly the suspicion the slow build was designed to avoid.

Whaling rarely happens quickly. It happens carefully. The patience is the tell — and it's also exactly what makes it survive every detection system built to catch urgency.

Why Executives Are Easier to Profile Than Almost Anyone Else

Executives are, just by the nature of the job, the most publicly documented people in any organization. That's not a personal failing — it's a side effect of doing the role well. The same visibility that makes someone effective at investor relations or press engagement also hands an attacker a remarkably detailed dataset to work from.

Earnings calls don't just reveal business priorities. They reveal speech patterns, the specific phrases an executive reaches for under pressure, the vocabulary they default to when discussing risk. Conference talks and podcast appearances supply hours of usable voice recordings. Regulatory filings quietly disclose travel, acquisitions, and board changes months ahead of the press release everyone actually reads. Social media adds the personal layer — a new dog, a family trip, the small talk that lets an attacker sound familiar before they ever make an ask.

Compiling all of that used to take real human effort — days of research, stitched together by hand. It doesn't anymore. Generative tools now compress that work into something that runs largely unattended, producing a profile of someone's communication style, professional relationships, and current business context detailed enough to write a convincing impersonation without a human ever reading the source material line by line.

Why Time Pressure Makes This Worse, Not Better

Three things about senior roles compound the reconnaissance problem into real operational risk. Executives are usually short on time, so requests get less scrutiny than they'd get from someone with a lighter calendar. They're highly visible, for the reasons above. And they're empowered — able to approve large transfers or direct subordinates, often without a second signature required.

Put together, the people best positioned to catch a whaling attempt through careful scrutiny are often the people with the least bandwidth to apply it. Someone moving between board meetings and a flight doesn't have time to interrogate every message the way a security analyst would. Attackers know this. The pretexts are built specifically around it — confidential, urgent, inconvenient to verify through the normal channel.

The AiTM Connection: Whaling Stopped Being the Whole Attack

Here's the shift that actually matters in 2026. Adversary-in-the-middle phishing intercepts a live authentication session — capturing the token after MFA clears, not before — and it's gotten dramatically easier to run at scale. Executives are the preferred entry point, and the reason is simple math.

An AiTM campaign works when the target completes a real login against a proxy server the attacker controls, believing it's the legitimate service. A compromised session from a junior employee might unlock a shared drive. A compromised session from a CFO unlocks financial systems, board communications, M&A data rooms, and the ability to move money directly. Same technique. Wildly different payout.

Once an attacker has that live session, there's no spoofed domain to catch, because nothing was spoofed. Mail sent from that account passes SPF, DKIM, and DMARC clean — it genuinely came from the real, authenticated mailbox. The attacker isn't pretending to be the executive from outside. They're inside, using the executive's real identity.

$137,000 average loss per whaling incident in 2024 — and increasingly the opening move toward deeper account compromise, not a single isolated transfer

What This Does to the Math on a Single Email

A successful whaling email aimed at the right person used to mean the risk of one bad wire. Now it's the risk of full account compromise that compounds for weeks afterward. An attacker sitting inside a CFO's real session can read the actual inbox, study how the org really talks to itself, spot a real pending transaction, and launch a second-stage attack — vendor fraud, payroll diversion, whatever fits — using information that makes the follow-on far harder to catch than the original email ever was.

You can't evaluate whaling as a single-message problem anymore. It's the opening move in a chain. The chain is what actually determines what the breach costs.

Deepfakes Took Whaling Out of the Inbox Entirely

For most of whaling's history, the inbox was the whole attack surface. That's no longer close to true. Voice cloning now needs as little as three to thirty seconds of recorded audio — easily pulled from one podcast appearance or earnings call — to produce speech that's genuinely convincing. Deepfake-as-a-service platforms have made this available to attackers with zero production background, which is most of why voice-based whaling and AI-driven vishing have spiked so hard.

The video version is newer, and worse. The Hong Kong case mentioned earlier involved live, real-time video deepfakes of multiple colleagues on one call — not a pre-recorded clip dropped in. The employee's instinct to verify the request by joining a video call was sound. It's just that the verification channel itself had already been compromised along with the original ask.

For years, the standard advice on resisting whaling and BEC was simple: don't trust email alone, confirm anything high-value through a second channel, ideally a call or video chat with someone you actually know. That advice still points in the right direction. It's just not sufficient by itself anymore. A verification step that a good enough deepfake can defeat needs a second layer behind it, not a replacement.

Do not trust a single communication channel, especially when authority or urgency is involved. In 2026, that includes the channel you would have called a verification step three years ago.

What Actually Holds Up Now

The organizations handling this well haven't abandoned out-of-band verification — they've made it more specific. A callback to a number the executive registered in person, never shared over email, is much harder to compromise than a number sitting in the suspicious message itself. A pre-agreed phrase, known to a small circle and never typed or said into any recorded channel, is a genuinely low-tech control that beats even a flawless deepfake, simply because the people building the deepfake have no way to know it exists. And routing every financial authorization through one dedicated, audited workflow — never solely through email, or a call, or a video chat on its own — removes the single point of failure that whaling, AiTM, and deepfakes are all, in their different ways, trying to find.

The Regulatory Floor Is Rising Underneath All of This

Whaling used to get filed under security awareness — a training problem, not a compliance one. That's aging fast. A handful of regulatory changes taking effect through 2025 and 2026 are starting to treat the absence of anti-impersonation and verification controls as a documented gap, not a nice-to-have.

PCI DSS v4.0 made anti-phishing controls mandatory under Requirement 5.4.1 back in April 2025, and it applies to basically any company handling payment card data — which covers most mid-market businesses with any e-commerce footprint at all. Nacha's ACH rule changes, with Phase 1 obligations live as of March 2026, bring in risk-based monitoring requirements aimed specifically at fraudulently initiated payment entries — exactly the outcome a successful whaling attack produces. And in the EU, NIS2 enforcement is stacking incident-reporting obligations on top of existing data protection law, which means a whaling-driven breach now starts a regulatory clock in addition to the financial damage.

None of these frameworks mention whaling by name. They don't need to. They require controls against the outcome it produces — unauthorized payment, driven by impersonation. An organization that can't show active impersonation defenses, real verification protocols, and monitoring tuned to these specific patterns isn't just operationally exposed anymore. It's exposed on a compliance basis that simply didn't exist in this form two years ago.

Why Rule-Based Filters Never Stood a Chance Against This

Worth being specific about why whaling beats the detection most organizations still lean on.

Secure email gateways are built to check technical attributes: does the sending domain match what it claims, is there a known-bad link, does the content match a known phishing template. A well-built whaling email usually has none of that. The domain might be one character off from the real one — close enough to pass a quick glance, not close enough to survive a careful one. The account might be genuinely compromised, which means it passes every authentication check because it really is the legitimate account. And there's often no link, no attachment, nothing to scan at all — just a fluently written request that, stripped of context, reads like an ordinary day at the office.

That's the actual gap. The question worth asking isn't whether the email carries a malicious payload. It's whether this specific request, from this specific sender, to this specific recipient, at this specific moment, actually fits how this organization communicates. Pattern matching has no way to answer that. Reasoning does.

How TRACE Looks at Whaling Specifically

TRACE evaluates whaling through the same intent-based reasoning it applies everywhere, but the signals it weighs for executive-targeted attacks are tuned to how whaling specifically works. Its behavioral baselining tracks how a given executive actually writes — typical message length, the phrases they reach for, which channel they use for which kind of request, and the approval path their organization actually follows for financial sign-off.

When a message claiming to be from an executive asks for something off-pattern — a wire outside the normal process, an urgent credential reset, a request to skip an established control — TRACE's relationship and context engines check whether that request actually lines up with how this person communicates and how this organization runs day to day. A request that breaks from the executive's usual phrasing, or arrives through a channel they don't normally use, or asks someone to skip a control that's never been skipped before, throws a specific, weighted signal that a generic filter simply has no way to produce.

TRACE's pre-campaign hunting adds another layer suited to how reconnaissance-heavy these attacks tend to be. Whaling infrastructure — lookalike domains, freshly registered sending domains — usually goes up weeks before the actual email lands. Watching domain registrations and certificate issuance tied to brand and executive-name variants can surface that infrastructure before a single message is sent, which closes the window patient, reconnaissance-driven attacks depend on.

What Mid-Market Organizations Are Actually Up Against

Whaling gets associated with big, recognizable companies — the kind whose CEO transition makes the news. That association is out of date. Mid-market organizations face the same fundamental exposure, usually with a lot less capacity to deal with it.

A mid-market CEO or CFO is just as publicly documented as their enterprise counterpart — often more so, relative to the size of the security team standing behind them, because smaller companies tend to lean harder on their leadership's personal visibility for sales and fundraising. A founder who's active on LinkedIn and gets quoted in trade press generates exactly the reconnaissance material a whaling campaign needs, usually with none of the layered approval workflow a bigger company would have built around it.

Scale the financial impact to company size and the picture gets worse. A $3 million fraudulent wire is a bad week for a multinational with billions in revenue. The same loss can end a 300-person firm. And the verification infrastructure larger enterprises spent years building — dedicated callback protocols, dual-approval thresholds, staff trained specifically on this — is frequently informal or just missing at smaller companies, mostly because building it has historically taken headcount lean teams don't have.

The reconnaissance an attacker needs to run a convincing whaling campaign does not get harder to gather just because the target company is smaller. The defenses, in practice, usually get thinner.

That's the specific gap StrongestLayer is built to close — the contextual, behaviorally grounded detection a dedicated executive protection program would deliver, minus the headcount and the years it usually takes to build one from scratch.

Building a Whaling Defense That Actually Holds

Real whaling defense is layered: detection technology, executive-specific awareness, and procedural controls that close off the single point of failure these attacks keep going after. Here's the practical version.

Trim the Public Attack Surface Where It Actually Makes Sense

Not asking executives to vanish from public life — that's neither realistic nor good for the business. It's being deliberate about what gets disclosed, and when. Travel plans, pending acquisitions, leadership changes — these are the specific categories whaling pretexts lean on hardest. Timing internal awareness around those windows, especially a new executive's first weeks or a confirmed travel block, takes away some of the timing advantage the attacker is counting on.

Build Verification That Doesn't Live on One Channel

Any request involving a wire, a credential reset, or access to something sensitive should require confirmation through a channel that wasn't the original request — using contact information that wasn't handed to you inside the suspicious message itself. A pre-registered callback number, confirmed in person and never updated by email, stops most whaling attempts cold, because the attacker has no way to redirect it. For the highest-stakes categories, a pre-agreed phrase that's never been typed or spoken into any recorded channel beats even a well-produced deepfake, since its creators have no way to know it exists.

Train the People Who Actually Push the Button

Whaling training tends to aim at the executives themselves, which misses something basic: the executive almost never executes the fraudulent transfer. A finance team member does. An assistant does. A helpdesk agent does. Training built specifically for the people authorized to act on executive requests — covering the urgency and confidentiality language these campaigns lean on — closes the actual point of failure far more directly than another round of executive-facing slides.

Deploy Detection That Reasons, Not Just Scans

The technical layer needs to evaluate whether a request fits everything known about the sender's real communication pattern and the organization's actual process — not just whether the email carries a bad attachment. That's the specific thing that separates intent-aware detection from signature filtering, and it's the layer that catches the well-built whaling email with no malware, no link, no obvious red flag. Just a request that, looked at in context, doesn't actually add up.

Final Thoughts: The Biggest Fish Is the Door Now

Whaling has always been told as a story about one devastating email — the one that talks a finance executive into wiring millions to the wrong place. That story's still true. It still happens. It just isn't the whole picture anymore.

A successful whaling attack is increasingly the first step in something longer: a compromised credential that opens an AiTM session, a captured token that hands over real access to real systems, a foothold that turns one convincing email into weeks of quiet movement through an organization's most sensitive financial and strategic information. The executive isn't just being tricked into one mistake. They're being used as the door into everything their authority touches.

Whaling doesn't respond well to the old playbook anymore — confirm anything urgent, watch for bad grammar, done. Reconnaissance moves faster now. Impersonation is more convincing. Even the verification channel can be compromised. And the cost of a single successful attempt rarely stops at the original transfer. Defending against it takes verification that doesn't depend on one channel, training aimed at the people who actually act on these requests, and detection that can reason about whether something makes sense — not just whether it matches a known pattern.

That last piece is the one most organizations don't have, and it's what TRACE was built to provide: something that looks at the full context of a message — how the sender actually communicates, what's normal for this organization, what pretext is being used — and asks whether it adds up. Not because it's seen this exact attack before. Because it understands what normal actually looks like well enough to notice when something, very patiently, isn't.

Frequently Asked Questions (FAQs)

Q1: What is whaling, exactly, and how is it different from regular phishing?

Whaling is spear phishing aimed at senior executives, board members, and the people authorized to act for them — finance leads, executive assistants, helpdesk staff. Regular phishing casts a wide net and hopes a small percentage of people click. Whaling goes after one specific, high-value person, built from real research into their role, their recent activity, the way they actually write. Low volume, high investment per target. The payout — a wire, a credential set, access to a financial system — is usually big enough to justify weeks of prep for a single email.

Q2: Why are executives specifically easier to target than other employees?

Three things compound together. Executives are usually short on time, so requests get less scrutiny than they'd get from someone with a lighter calendar. They're highly visible — earnings calls, press coverage, LinkedIn, conference talks — which hands an attacker a rich dataset to build a convincing impersonation from. And they're empowered to approve large transfers or access sensitive systems, often without a second signature. None of this is about poor judgment. It's just what seniority structurally produces, and attackers have learned to build around it.

Q3: How can an attacker clone an executive's voice with so little audio?

Modern voice cloning can produce genuinely convincing speech from as little as three to thirty seconds of recorded audio — easy to pull from a single earnings call or conference talk. Deepfake-as-a-service platforms have put this in reach of attackers with zero production background, which is most of why voice-based whaling and deepfake vishing have spiked so hard. The technical barrier that used to limit this to well-resourced threat actors has mostly disappeared.

Q4: If a video call confirmed the request, doesn't that rule out fraud?

Not anymore. In one widely reported 2025 case, an employee joined a video call specifically to verify a suspicious request and saw what looked like his CFO and several familiar colleagues — all confirming the transfer out loud. Every participant on that call except him was a real-time AI-generated deepfake. The company authorized roughly $25 million before anyone realized what had happened. Video verification is still worth doing, but it can't be treated as proof on its own anymore — it needs to be paired with something the attacker has no way to fake.

Q5: What's the connection between whaling and adversary-in-the-middle (AiTM) attacks?

Whaling is increasingly just the opening move that leads into an AiTM session hijack. If a whaling email tricks an executive into logging in through an attacker-controlled proxy, the attacker grabs the live session token after MFA has already cleared — meaning multi-factor authentication doesn't actually stop the compromise. From there, the attacker is operating with the executive's real, authenticated identity rather than an outside impersonation, which makes everything that follows much harder to tell apart from legitimate use.

Q6: Why don't SPF, DKIM, and DMARC catch whaling emails?

Those protocols check whether a message came from a server authorized to send on behalf of a domain. They say nothing about whether the request inside actually makes sense, and they're useless when the sending account is genuinely compromised rather than spoofed. A whaling email from a real, hijacked executive account passes every authentication check, because authentication was never the gap being exploited. The gap is contextual — does this request fit how this person actually writes and how this organization actually operates.

Q7. How does TRACE detect a whaling email if it contains no malicious link or attachment?

TRACE builds a baseline for how each executive in your organization actually communicates — message length, the phrases they reach for, which channel they use for which request type, and your standard approval workflow for financial sign-off. When a message claiming to be from an executive asks for something off-pattern — a wire outside the normal process, an urgent credential reset, a request to skip a control — TRACE's relationship and context engines check whether that request fits the executive's established pattern and the organization's actual rhythm. The detection comes from whether the request makes sense, not from spotting a recognizable technical signature.

Q8: Are smaller, mid-market companies actually at risk, or is this an enterprise problem?

Mid-market companies are often more exposed, not less. A founder-CEO active on LinkedIn and quoted in trade press generates exactly the reconnaissance material a whaling campaign needs, usually with a far smaller security team standing behind them than an enterprise counterpart. A transfer a multinational could absorb without much pain can be existential for a 300-person firm. And the layered verification protocols bigger companies built up over years — dedicated callback procedures, dual-approval thresholds — are frequently informal or missing entirely at smaller organizations, mostly because building them takes headcount lean teams don't have.

Q9: What regulations now require anti-whaling or anti-impersonation controls?

A few frameworks taking effect through 2025 and 2026 raise the bar here without naming whaling directly. PCI DSS v4.0 made anti-phishing controls mandatory under Requirement 5.4.1 as of April 2025 for any organization handling payment card data. Nacha's ACH rule changes, with Phase 1 obligations live since March 2026, bring in risk-based monitoring for fraudulently initiated payment entries. In the EU, NIS2 enforcement stacks incident reporting on top of existing data protection law. None of these mention whaling by name — they don't need to. They all require controls against the exact outcome a successful whaling attack produces: unauthorized payment or access driven by impersonation.

Q10: What is the single most effective procedural control against whaling?

Verification through a channel that wasn't the original request, using contact info that was never handed to you inside the suspicious message itself. A pre-registered callback number, confirmed in person and never changed via email, stops most whaling attempts cold because the attacker has no way to redirect it. For the highest-stakes categories — large wires, executive credential resets — a pre-agreed phrase that's never been typed or said into any recorded channel beats even a well-produced deepfake, simply because the phrase was never part of anything an attacker could have intercepted.

Q11: Should training focus on the executives themselves or on their staff?

Mostly on staff. The executive is rarely the one who actually executes a fraudulent transfer — a finance team member, an assistant, or a helpdesk agent usually is. Training built specifically for the people authorized to act on executive requests, covering the urgency and confidentiality language these campaigns lean on, addresses the real point of failure far more directly than another round of executive-facing slides. That said, executives still benefit from understanding how their own visibility — the earnings calls, the conference talks, the LinkedIn posts — feeds directly into the reconnaissance attackers run against the people around them.

Q12: What does a typical whaling campaign look like from start to finish?

Most documented cases follow a consistent five-stage pattern. Reconnaissance gathers biographical and behavioral detail on the target executive from public sources. Harvesting collects current operational specifics — a pending acquisition, a leadership transition, a travel schedule — to use as pretext. Impersonation is constructed, whether through a lookalike domain, a compromised colleague's account, or in advanced cases a cloned voice or generated video likeness. An initial low-stakes contact establishes trust before any request is made. And the final request — a transfer, a credential reset, a document release — arrives once the attacker judges trust to be sufficiently established. The entire sequence frequently runs over weeks rather than minutes, precisely because patience is what makes the deception convincing.