The difference between phishing, spear-phishing and whaling attacks is on the scale of personalization. Phishing is the least personalized, whaling is the most, and spear-phishing lies between.
What is Phishing?
Everyone with an inbox is familiar with phishing attacks. The infamous Nigerian prince scam is the first phishing attack that achieved broad public awareness, but since then, phishing attacks have become more sophisticated. A modern phishing attack is likely to look like a legitimate email from a well-known business or a bank, and it will only be deemed malicious by an alert user who mouses over the sender address to see if it is correct before clicking a link or downloading an attachment.
Phishing attacks are a numbers game: Instead of targeting one individual, they target many people in the hope of catching a few.
Attacks are not personalized, and a key identifier of a phishing email is that it does not use the recipient’s name. Phishing attacks are conducted not only by email but also by text, phone and messaging apps.
What is Spear-Phishing?
While phishing attacks target anyone who might click, spear-phishing attacks try to fool people who work at particular businesses or in particular industries in order to gain access to the real target: the business itself.
Spear-phishing attacks are at least as personalized as a typical corporate marketing campaign. For example, a spear-phishing attack may initially target mid-level managers who work at financial companies in a specific geographical region and whose job title includes the word “finance.”
A great deal of research may occur before a spear-phishing attack is launched, but the effort is worthwhile to an attacker because the payoff could be significant. That payoff isn’t necessarily monetary — spear-phishing attacks are frequently sponsored by nation-states.
To execute a spear-phishing attack, attackers may use a blend of email spoofing, dynamic URLs and drive-by downloads to bypass security controls. Advanced spear-phishing attacks may exploit zero-day vulnerabilities in browsers, applications or plug-ins. The spear-phishing attack may be an early stage in a multi-stage advanced persistent threat (APT) attack that will execute binary downloads, outbound malware communications and data exfiltration in future stages.
What is Whaling?
Whaling attacks target one person, typically a highly placed executive, in order to steal money or gain sensitive information. Attackers go to great lengths to learn about the executive, such as stalking their social media or using a spear-phishing attack to gain enough access to the network to “eavesdrop” on the executive’s email communications.
Whaling attacks are used to conduct business email compromise (BEC) attacks, in which the ultimate goal is wire fraud. In these attacks, an executive with financial approval authority may receive an email from a C-level executive asking them to urgently transfer a large amount of money to cover a vendor payment or similar obligation. The email may have a sense of urgency, such as, “I’m at the airport heading out for vacation, can you rush this?” And the supposed sender of the email may indeed have left for vacation, so the message would seem legitimate to the targeted executive.