Phishing vs spear phishing vs whaling attacks

Phishing vs spear phishing vs whaling attacks

Gone are the days when phishing emails were typo-laden messages demanding you to click on a link and enter your credit card details into some eyesore of a website. Today’s phishing attacks are advanced, sophisticated and scarily believable, which perhaps explains why 22 percent of employees clicked on a phishing email in 2018, according to figures from Verizon.

How are phishing attacks getting more sophisticated? Well, rather than casting out a wide net in the hopes of snagging a couple of fish, cybercriminals are becoming increasingly selective with their attacks. By focusing their efforts on a single high-value target, cybercriminals are able to create personalized attacks that are painstakingly tailored to the individual, thereby maximizing their chances of landing a whopper.

Read on to learn more about the different types of phishing attacks and how you can protect yourself as a small business owner.

How phishing works

Phishing is the general term for a type of social engineering attack in which attackers pretend to be a legitimate entity in order to extract sensitive information from a target. Much like a fisherman casting an enormous net into the sea in the hopes of catching something, most common phishing attacks have an incredibly wide attack scope, and will often be distributed to thousands or millions of people.

In this sense, a phishing attack is very much a numbers game. An attacker understands there’s a low chance of a target taking the bait, but because the scope of the attack is so large there’s a good chance that at least some people will respond. Phishing attacks are most commonly delivered over email, but they can also be sent via social media, phone calls and SMS.

Examples of phishing attacks

1. Tech support scam

The tech support scam is perhaps the most classic example of a phishing attack. It usually involves an email or browser popup warning you of some problem with your computer (e.g. malware infection, a data breach at a popular online service, or a claim that you have used your system for illegal activity) and a link to a website where you can resolve the issue. The website may look like the real deal, but when you enter your personal information it sends your data directly into the hands of the criminals. As many as 6 percent of consumers lost money to a tech support scam in 2018, according to Microsoft’s Global Tech Support Scam Research.

2. Fake invoices

Fake invoice phishing attacks have been around for years, and unfortunately they’re probably not going away any time soon. In this type of attack, criminals typically pose as a well-known tech company and send out phony invoices that show you’ve recently made a purchase from them. The email includes a link to a website where you can dispute the charges or stop automatic billing. Inputting your details on the website sends your information to the criminals, who can use the data to commit fraud or identity theft.

3. Facebook messages

Social media is a powerful attack vector for phishing because the attack is usually delivered via the account of someone you know and trust, which makes it more convincing and increases the chances of you clicking on a dodgy link. The contents of the message can vary, but often it claims that you have won something, been tagged in a risqué photo or have a new job opportunity. Clicking the accompanying link will take you to a fraudulent website that might steal your personal information or install malware on your computer.

What is spear phishing?

Spear phishing is much more selective and sophisticated than regular phishing attacks. Spear phishing usually involves targeting members of a specific organization to gain access to critical information such as financial data, staff credentials, intellectual property and customers’ personally identifiable information. These types of attacks are typically far more lucrative than a normal phishing attack, so criminals may spend a long time researching their target and planning the attack. In many instances, spear phishing is performed by government-sponsored attackers rather than random cybercriminals looking to make a quick buck.

What is a whaling attack?

A whaling attack is a type of spear phishing that focuses on a high-ranking target within an organization rather than lower level employees. Many whaling attacks target CEOs, CFOs and other executives who have a high level of access to sensitive company information. Some whaling attacks involve impersonating members of the C-suite and leveraging their authority to convince employees in other departments to release sensitive information.

Whaling attacks are as sophisticated as they are personalized. The emails and websites used in these types of attacks are professionally designed, flawlessly worded and appear, for all intents and purposes, to be completely legitimate. To further add to the illusion, attackers might use spoofed email addresses and the logos and contact information of real companies or government agencies.

To personalize the attack, criminals will also go to great lengths to collect as much information on the target as possible, often drawing data from LinkedIn, Facebook and Twitter. This allows them to refer to the target’s name, job title and other personal information, which makes the attack seem even more authentic.

Examples of whaling attacks

1. Seagate releases copies of 10,000 employees’ W-2 tax forms

In 2016, the HR department of data storage technology giant Seagate received an email that was apparently from the company’s CEO Stephen Luczo. The email asked for copies of employees’ 2015 W-2 tax forms and other personally identifiable information, including names, social security numbers, income and home addresses. HR fulfilled the request, which resulted in the personal details of almost 10,000 current and past employees being sent straight to the cybercriminals.

2. Snapchat hands over payroll information

Snapchat is no stranger to cyberattacks, but in 2016 the social media platform yet again found itself at the center of a data breach when an employee was tricked into releasing payroll information about some of its employees. In the attack, a member of the payroll team received an email from someone claiming to be Snapchat CEO Evan Spiegel, who made a request for employee payroll information. The data was duly handed over to the attacker and the information was leaked shortly after.

3. FACC CEO loses job after company wires $56 million to fraudsters

FACC is an Austrian plane manufacturing company whose customers including Boeing and Airbus. In 2016, it emerged that the company had been the victim of a successful whaling attack, which led to the finance department wiring $56 million to the fraudsters. While the full details of the attack were never publicly released, FACC CEO Walter Stephan was fired as he had “severely violated his duties”, and the CFO of the company also lost their job soon after the attack.

Phishing, spear phishing and whaling: What’s the difference?

Phishing, spear phishing and whaling attacks share many similarities – primarily, all three involve using impersonation to elicit information or money from a target. However, they also have some subtle differences to be aware of.

A typical phishing attack takes a “quantity over quality” approach to scamming. The attacks are often simple, relatively easy to identify and distributed to thousands or millions of people.

Spear phishing is more selective. These attacks target a specific organization or employee in order to gain sensitive data. The assets used in spear phishing are more sophisticated and can be difficult to spot. While spear phishing attacks take much longer to plan and execute, the payoff can be much more lucrative than wide-scale phishing attacks.

Whaling is a type of spear phishing. It targets high-ranking, high-value target(s) in a specific organization who have a high level of authority and access to critical company data. Whaling attacks may take weeks or months to prepare, and as a result the emails used in the attacks can be very convincing.

How SMBs can defend against spear phishing and whaling attacks

1. Educate staff about phishing and whaling attacks

Employees across every level of your organization, particularly senior management, and HR and payroll staff, should receive training on how to identify the signs of a phishing or whaling attack. This might include learning how to spot spoofed sender names and email addresses, being wary of unsolicited attachments, keeping software up to date and double checking URLs before clicking any links. For more information, be sure to check out our previous blog post on how to prevent phishing attacks.

2. Encourage managers to consider what they share on social media

As noted above, cybercriminals regularly trawl social media platforms to find information on their targets which they can then use to add an extra layer of legitimacy to their phishing and whaling attacks. Data such as place of employment, address and date of birth can all be used to add weight to an attack. While you probably can’t (and shouldn’t) prohibit employees from using social media altogether, do encourage staff (and managers and executives in particular) to avoid oversharing on social media and tweak their privacy settings to keep their accounts as private as possible.

3. Install an anti-phishing extension for your browser

These days, all major web browsers come with reasonably effective phishing protection technology built right in, but to really keep your business safe you might want to consider installing a dedicated browser extension. Emsisoft Browser Security, for example, blocks phishing attacks and prevents you from accessing websites that are known to distribute malware, and it does so in a way that doesn’t compromise your privacy.

4. Verify requests for money and sensitive information

Phishing and whaling attacks rely on human error. Reduce the risk of a slip up by developing and enforcing processes to verify financial and sensitive data requests. For example, you could make it mandatory to verify requests through a secondary communications channel before performing the request. So, if someone in accounts were to get an email from the CFO instructing them to transfer a large sum of money to an unfamiliar account, the employee would have to double check the request by contacting the CFO via a phone call, chat, or in person, but NOT via email.

5. Have systems in place in case someone takes the bait

In the event that someone does fall for a phishing attack, you want to be sure that you have systems in place to limit the damage. Investing in reliable antivirus software such as Emsisoft Anti-Malware is critical for preventing malware that can be delivered in some phishing attacks, while a good backup strategy can help restore your machine to a safe state.

Keeping your business safe from phishing

Phishing and whaling attacks remain a constant threat for businesses of all sizes. While basic phishing attacks can usually be spotted from a mile away, spear phishing and whaling are much more difficult to identify. The good news is there are many things security-conscious businesses can do to contain the threat. By training staff on the dangers of phishing, establishing verification processes and having systems in place for a worst case scenario, you’ll be better prepared to protect your company against all types of phishing attacks.

Emsisoft Enterprise Security + EDR

Robust and proven endpoint security solution for organizations of all sizes. Start free trial

Have you been on the receiving end of a phishing attack recently? Did it look believable? How were you able to tell it was a phishing email? Let us know in the comments below!



Writer. A picture is worth a thousand words but unfortunately I can't draw. The world of IT security has always fascinated me and I love playing a small role in helping the good guys combat malware.

What to read next