Skip to main content

Cornell University

Watch Out for Whaling: Phishing Targeting Leaders

This article applies to: Faculty , Security & Policy , Staff

“Whaling” is a sophisticated form of phishing that targets an organization's top leaders. It uses clever social engineering and generative artificial intelligence to look like it’s from people you know and trust -- the president, provost, vice provosts, vice presidents, or deans.

Cornell's leaders are just as likely to receive this kind of fraudulent email as be the alleged sender of one.

A whaling phish can be hard to spot because …

  • Is well-written
  • Seems to know you, your work, and your organization structure
  • Appears to come from someone you would expect to contact you or from someone higher up in the hierarchy
  • Makes reasonable requests (review this, confirm that, answer a question)
  • Sometimes makes urgent requests, but with a plausible, credible explanation
  • Can use phone or email or both
  • Can be persistent with follow-ups from multiple senders

These steps can help you guard against whaling and other kinds of phishes:

  1. Leaders: talk with your staff about phishing and how to verify requests. At minimum, everyone should be suspicious of any requests coming from a non-Cornell email account or phone number.
  2. Double-check any requests involving financial transactions or high-risk matters by another means. For example, if it came in by email, verify via text, chat, or phone call. At minimum, do not simply hit reply.
  3. Use Cornell’s Outlook service to check your email. It automatically checks links and attachments and blocks any that are known to be malicious. If you use another email service (for example, for personal mail), be extremely cautious with links and attachments.
  4. Verify that the message is coming from the person's real email address. In Outlook, you need to hover over the name to see the email address.
  5. Require NetID login to access all procedures or approval workflows. If this information is publicly accessible, whalers will use it to make their scams look authentic.
  6. Consider your social media presence as a rich source of information that may be used in attacks. For example, if you share travel or conference stories, wait till you’re back in the office so your colleagues can easily recognize a scam that purports urgent cash transfers.

Learn more tips for spotting fraudulent emails (phishing).

2024 Update: PhishAlarm, a new faster way to report suspicious email to the IT Security Office, was made available on all Gmail web and Outlook web, desktop, and mobile interfaces.


To share feedback about this page or request support, log in with your NetID

At Cornell we value your privacy. To view
our university's privacy practices, including
information use and third parties, visit University Privacy.