Spear-Phishing vs. Phishing vs. Whaling

April 1, 2021

The difference between phishing, spear-phishing and whaling attacks is on the scale of personalization. Phishing is the least personalized, whaling is the most, and spear-phishing lies between.

What is Phishing?

example of a phishing email

Example of a phishing email – click to enlarge

Everyone with an inbox is familiar with phishing attacks. The infamous Nigerian prince scam is the first phishing attack that achieved broad public awareness, but since then, phishing attacks have become more sophisticated. A modern phishing attack is likely to look like a legitimate email from a well-known business or a bank, and it will only be deemed malicious by an alert user who mouses over the sender address to see if it is correct before clicking a link or downloading an attachment.

Phishing attacks are a numbers game: Instead of targeting one individual, they target many people in the hope of catching a few.

Attacks are not personalized, and a key identifier of a phishing email is that it does not use the recipient’s name. Phishing attacks are conducted not only by email but also by text, phone and messaging apps.

What is Spear-Phishing?

example of a spear phishing email

Example of a spear-phishing email – click to enlarge

While phishing attacks target anyone who might click, spear-phishing attacks try to fool people who work at particular businesses or in particular industries in order to gain access to the real target: the business itself.

Spear-phishing attacks are at least as personalized as a typical corporate marketing campaign. For example, a spear-phishing attack may initially target mid-level managers who work at financial companies in a specific geographical region and whose job title includes the word “finance.”

A great deal of research may occur before a spear-phishing attack is launched, but the effort is worthwhile to an attacker because the payoff could be significant. That payoff isn’t necessarily monetary — spear-phishing attacks are frequently sponsored by nation-states.

To execute a spear-phishing attack, attackers may use a blend of email spoofing, dynamic URLs and drive-by downloads to bypass security controls. Advanced spear-phishing attacks may exploit zero-day vulnerabilities in browsers, applications or plug-ins. The spear-phishing attack may be an early stage in a multi-stage advanced persistent threat (APT) attack that will execute binary downloads, outbound malware communications and data exfiltration in future stages.

Expert Tip

One example of bait is an email that looks like a message from Human Resources asking the employee to log in to the HR portal to update password information. When the employee clicks on the link provided in the email, the resulting webpage looks like the HR portal but is actually a mock-up. When the employee attempts to log in to the fake page, their login credentials are captured by the criminals behind the attack. Those credentials will then be used by the attacker to access the network.

What is Whaling?

Whaling attacks target one person, typically a highly placed executive, in order to steal money or gain sensitive information. Attackers go to great lengths to learn about the executive, such as stalking their social media or using a spear-phishing attack to gain enough access to the network to “eavesdrop” on the executive’s email communications.

Whaling attacks are used to conduct business email compromise (BEC) attacks, in which the ultimate goal is wire fraud. In these attacks, an executive with financial approval authority may receive an email from a C-level executive asking them to urgently transfer a large amount of money to cover a vendor payment or similar obligation. The email may have a sense of urgency, such as, “I’m at the airport heading out for vacation, can you rush this?” And the supposed sender of the email may indeed have left for vacation, so the message would seem legitimate to the targeted executive.

Learn More

BEC scams are a billion-dollar enterprise, and the amounts lost in a single transaction can be in the millions. One investment fund recently lost $10 million to a BEC scam that granted attackers access to its network, and U.S. firms overall lost $1.3 billion in 2018.