pp. Targeting a scam at a company's CEO or other high-ranking officer, either to defraud the officer directly or to dupe an employee into sending money to the scammer.
As the next step up from spear phishing — whaling is a form of business email compromise (BEC). It involves cybercriminals impersonating the CEO, CFO or other high ranking business authority to dupe employees into making fraudulent payments or unwittingly share confidential data.
—Bonnie Gardiner, “Spotting a fake CEO: 4 ways to evade a whaling attack,” CIO, May 02, 2016
The spoofed messages ask finance staff to rush through a payment to a supplier that the chief executive cannot handle because they are out of the office.
Experts have dubbed this "whaling" fraud because it targets "one big fish" as opposed to phishing, which tends to be aimed at lots of smaller fry.
—“'Whale' finance fraud hits businesses,” BBC News, October 19, 2015
"Spear phishing" is a targeted phishing attack against specific individuals within specific companies, in which the fraudsters deploy personalized emails or other forms of online contact. Spear phishing’s high-achieving younger brother — "whaling" — uses the same techniques to aim tailored lures at upper management.
2014 (earliest)
Mimecast Targeted Threat Protection extends traditional gateway security to defend against malicious links in email, weaponized attachments and malware-less social-engineering attacks, often called whaling — the three most common attack methods
—“Targeted Threat Protection,” Mimecast, May 24, 2014
Scams that aim to extort or steal money directly from a company's chief executive are also known as CEO fraud. If the scam involves impersonating a company officer via email to dupe a lower-level employee into transferring funds to the scammer, it's also known as a business email compromise.