Phishing, Spear Phishing, and Whaling

Don’t Let Them Hijack Your Accounts

Workplace and personal email have become the most common attack surfaces for opportunistic and targeted phishing scams. The impacts of phishing are many and may include identity theft, intellectual property theft, reputational damage, business shutdowns, monetary loss, loss of trust, or the installation of malware that compromises devices and data, such as ransomware or spyware. According to the 2023 Verizon Data Breach Investigation Report (DBIR), the average cost of a data breach in organizations with 10 – 20,000 employees is 5.56 million dollars, and phishing was named one of the two most common causes of the breaches (the other was compromised credentials).

Phishing scams use social engineering to trick victims into taking actions that are not in their best interest. There are different types of phishing, and phishing may be categorized using terms such as mass-distributed phishing, spear phishing, or whaling. The different categories refer to the distinguishing features and varying methods employed by scammers, but they all have similar goals and are broadly known as phishing attacks.

An added complexity to detecting and avoiding phishing is Artificial Intelligence (AI), which allows scammers to easily create more credible scams and construct phishing messages in different languages, and with fewer errors. These messages often sound and look like they come from known and trusted sources. Malicious messages and websites may be a mixture of social engineering and AI, which may be obvious (voiceless, predictable, detached), or more difficult to detect. The use of AI stresses the importance of legitimacy verification means, other than the internet.

Remember that there are low risks associated with opening email messages; however, actions that may prove problematic happen after opening malicious messages, such as opening attachments, enabling macros, scanning QR codes, clicking embedded links, downloading, or replying to the sender.


Mass-distributed phishing messages are opportunistic attacks that are often delivered via compromised email accounts or mail servers. Although phishing most commonly occurs over email, it may also occur via SMS text messages, downloads, web pop-ups, malicious websites, phone calls, and social media. The goals of phishing messages are to:

What is the Definition of Phishing?

Phishing is a type of cyber attack that uses social engineering tactics to deceive individuals into revealing sensitive information, such as usernames, passwords, and credit card details. These attacks are typically carried out through email, but they can also occur via text messages, phone calls, and social media. The goal is to trick the victim into taking actions that compromise their personal information or install malicious software on their devices.

What is Phishing and an Example?

Phishing involves the fraudulent attempt to obtain sensitive information by disguising oneself as a trustworthy entity in electronic communications. A common example of phishing is an email that appears to be from a reputable company, such as a bank or a popular online service, asking the recipient to click on a link to update their account information. The link leads to a fake website that looks identical to the legitimate one, where the victim is prompted to enter their credentials. Once submitted, these credentials are captured by the attacker.

Don’t let your business be an easy target!

IT Support with Levelup MSP is a no brainer. Partner with Levelup, where cutting-edge solutions meet deep expertise in cyber defense. Our tailored strategies are designed to fortify your systems and educate your team, ensuring you stay ahead of even the most sophisticated threats.

What are the Four Types of Phishing?

Phishing attacks can be categorized into several types based on their methods and targets. The four main types are:

1. Email Phishing

Email phishing is the most common form of phishing. Attackers send mass-distributed emails that appear to come from reputable sources. These emails often contain urgent messages designed to prompt recipients to click on malicious links or download harmful attachments.

2. Spear Phishing

Spear phishing is a targeted form of phishing where attackers customize their messages based on information they have gathered about their victims. These attacks are more personalized and often appear to come from a known and trusted source, making them harder to detect.

3. Whaling

Whaling is a type of spear phishing that targets high-profile individuals within an organization, such as executives or senior managers. The aim is to steal sensitive information or trick the target into authorizing large financial transactions. Whaling emails are highly customized and sophisticated.

4. Smishing and Vishing

  • Smishing (SMS Phishing): Smishing involves sending fraudulent text messages that appear to come from reputable sources. These messages often contain links to malicious websites or prompt the recipient to provide sensitive information via text.
  • Vishing (Voice Phishing): Vishing involves phone calls from attackers pretending to be from reputable organizations. The goal is to trick victims into revealing personal information over the phone.

What is Considered a Phishing Attack?

A phishing attack is considered to occur when an attacker uses deceptive tactics to trick an individual into performing actions that compromise their personal information or security. These actions may include:

  • Clicking on a malicious link that leads to a fraudulent website designed to steal login credentials.
  • Downloading and opening a malicious attachment that installs malware on the victim’s device.
  • Providing sensitive information, such as usernames, passwords, or credit card numbers, in response to a fraudulent email, text message, or phone call.
  • Entering login credentials on a spoofed login page that mimics a legitimate website.

Phishing attacks often rely on creating a sense of urgency, fear, or curiosity to prompt victims to act quickly without thinking critically about the legitimacy of the request.

Trick You into Revealing Sensitive or Confidential Information

An example is an embedded link in a message that takes you to a spoofed login prompt from which an attacker can steal your login credentials or a login prompt that directs you to a malicious website.

Install Malware

This may occur when attachments are opened, social media updates are clicked, macros are enabled, QR codes are scanned, embedded links are clicked, or software or documents are downloaded. Spyware, ransomware, and other forms of malware can be installed this way, compromising your device and data.

Spear Phishing

Spear phishing attacks are targeted or “customized” phishing attacks. They tend to target someone they’ve identified with something that they know or suspect to be of relevance or interest. The target may be you, your employer, someone that you know, or a group of people. Spear phishers use the internet—most commonly social media and public websites—to study and harvest information on their target. These messages may address you personally, use a familiar greeting, or appear to come from a colleague, acquaintance, friend, or a higher-up in your organization.

What is the Main Difference Between Phishing and Spear Phishing?

The primary difference between phishing and spear phishing lies in the targeting and personalization of the attacks. Phishing is a broad, often indiscriminate attempt to trick as many people as possible into revealing sensitive information or installing malware. Attackers send out large volumes of generic messages, hoping to catch a few unsuspecting victims.

Spear phishing, on the other hand, is a highly targeted and personalized form of phishing. Attackers focus on a specific individual or organization, tailoring their messages to appear more convincing by using information gathered about the target. This could include the victim’s name, job title, and other personal details obtained through social media, public websites, or previous interactions.

What are Real Spear Phishing Examples?

Example 1: CEO Fraud

An employee receives an email that appears to come from the company’s CEO, requesting urgent assistance with a financial transaction. This email creates a sense of urgency and uses the authority of the CEO to pressure the employee into complying without question.

Example 2: Vendor Compromise

A finance department employee receives an email that appears to be from a trusted vendor, asking to update payment details due to a change in banking information. By impersonating a known vendor, the attacker attempts to redirect future payments to their own account.

What is the Difference Between Spear Phishing and Spoofing?

Spear phishing and spoofing are related but distinct tactics used in cyber attacks:

Spear Phishing: This involves crafting highly targeted and personalized messages aimed at a specific individual or organization. The attacker gathers detailed information about the target to make the message appear legitimate and convincing.

Spoofing: Spoofing involves forging the sender’s address or other parts of the message to make it appear as though it is coming from a trusted source. This can be part of a spear phishing attack, but spoofing itself can also be used in other types of attacks, such as spam or broad phishing attempts.

In essence, spear phishing often uses spoofing techniques to deceive the target, but it goes further by adding a level of personalization and targeting that spoofing alone does not achieve.

Is Spear Phishing Worse Than Phishing?

Spear phishing is generally considered more dangerous than generic phishing due to several factors:

Higher Success Rate: Because spear phishing attacks are highly personalized and tailored to the victim, they are more convincing and have a higher success rate compared to generic phishing attacks.

Greater Impact: Spear phishing often targets specific individuals with access to valuable information or resources, such as executives, financial officers, or IT administrators. This means that a successful attack can have a significant impact on the organization, leading to financial loss, data breaches, or reputational damage.

Complexity and Sophistication: Spear phishing attacks are more sophisticated and can involve multiple stages and techniques, such as social engineering, reconnaissance, and spoofing. This complexity makes them harder to detect and defend against.

Targeted Nature: The targeted nature of spear phishing means that even highly security-aware individuals can be tricked, as the attacker may exploit specific knowledge about the victim’s habits, relationships, or role within the organization.


Whaling is a type of phishing attack that may also be referred to as “Business Email Compromise” (BEC), or CEO fraud. Whales are high-value targets whose credentials or access to resources have the ability to compromise an organization. Whaling often involves messages that seemingly come from a VIP. These messages target employees and are requests which create a sense of urgency. 

What is Whaling vs Phishing?

Whaling is a specialized type of phishing attack that targets high-profile individuals within an organization, such as executives, CEOs, CFOs, and other senior management. While phishing is a broad, often indiscriminate attempt to deceive individuals into revealing sensitive information, whaling is highly targeted and aims at “big fish” or “whales” who have access to valuable company information and resources. The sophistication and personalization of whaling attacks make them more dangerous and potentially more damaging than standard phishing attacks.

What is a Whale Cyber Attack?

A whale cyber attack, or whaling attack, is a specific form of phishing aimed at high-ranking executives within an organization. These attacks typically involve meticulously crafted emails that appear to come from trusted sources or use high-level corporate language to deceive the target. The goals of a whale cyber attack often include:

  • Financial Fraud: Convincing the target to authorize large wire transfers or payments.
  • Data Theft: Gaining access to sensitive corporate data or intellectual property.
  • Credential Harvesting: Stealing login credentials to gain further access to the organization’s network.

Whaling attacks are characterized by their use of detailed information about the target’s role and the organization, making the fraudulent requests seem legitimate and urgent.

Who are the Main Targets in Whaling Phishing Attacks?

The main targets in whaling phishing attacks are high-level executives and senior managers within an organization. These individuals are chosen because they have access to critical resources and sensitive information that can be exploited by attackers. Common targets include:

  • Chief Executive Officers (CEOs)
  • Chief Financial Officers (CFOs)
  • Chief Operating Officers (COOs)
  • Chief Information Officers (CIOs)
  • Chief Technology Officers (CTOs)
  • Senior Vice Presidents
  • Directors of Finance or Accounting

By targeting these high-profile individuals, attackers aim to exploit their authority and access to execute fraudulent transactions or gain access to valuable information.

What was the Famous Whaling Attack?

One of the most famous whaling attacks occurred in 2016 and targeted FACC, an Austrian aerospace parts manufacturer. The company fell victim to a sophisticated whaling attack that resulted in the fraudulent transfer of approximately €50 million ($55 million USD).

Details of the Attack:

  • The attackers impersonated the CEO and sent an email to the CFO, requesting a significant transfer of funds for a fake acquisition project.
  • The email appeared legitimate, using the CEO’s name and corporate language, which led the CFO to comply with the request without further verification.
  • The funds were transferred to accounts controlled by the attackers, who then quickly disappeared.

The impact of this attack was devastating for FACC, leading to the dismissal of both the CEO and CFO and significant financial and reputational damage. This incident highlights the effectiveness and danger of whaling attacks, even against well-established companies with experienced executives.

Attacker Posing as a VIP

An attacker posing as a VIP may request a wire transfer, restricted employee data, or sensitive company data.

Compromised or Spoofed VIP Email Accounts

An attacker may use a compromised VIP email account or a spoofed VIP email address to send messages to employees. When attackers use a spoofed email address, the visible email address may look correct, but when you hover over it, the email address used to send the message may be different. Another tactic employed by scammers is to spoof an email by using an address similar to the sender’s address. For example, could be replaced with

Real-Life Whaling Attempts

Real-life whaling attempts show the intricate changes perpetrators try to make. They might use similar company names, familiar greetings, or even mimic the tone of an executive to create a sense of urgency and legitimacy.

Protecting Yourself from Phishing Threats

If you receive a message that appears to be from an entity such as your bank or even from someone that you know, and the message does not “sound” right, look familiar, or contains an urgent request, it is recommended that you confirm the legitimacy of the message by using a trusted phone number to contact the sender. Remember, phishers are counting on busy people who review their email quickly and click on embedded links and attachments or scan codes before evaluating a message fully.

Phishers are also counting on people who are eager to take advantage of an offer or fulfill the request of a colleague or VIP and may do so without fully evaluating the communication received. Security technologies, such as antivirus software help, but the best protection against phishing is your own judgment. Therefore, review all communications when you have the time to evaluate them fully, and prior to taking actions such as replying, opening attachments, enabling macros or clicking embedded links. For additional information, please see the notable trends, best practices, reminders, and resources below.

Notable Trends

QR Code Phishing

There has been an uptick in QR code phishing which can, among other things, lead to the exfiltration of data on your mobile devices when a QR code is scanned. Malicious QR codes are almost impossible to detect. Scammers can easily exploit legitimate QR codes displayed in public places by overlaying them with malicious codes. Once scanned, the QR code may or may not provide a link to click. Irrespective of whether you click a link, the simple scanning of a malicious QR code can trigger a variety of actions, such as the installation of malware, the adding of a contact, the composing of an email, the opening of a malicious website, or the exfiltration of data. For more information on how QR codes can be exploited, see the Download article Don’t Scan a Scam.

  • Complex Social Engineering Threats: Whaling threats manifesting as complex social engineering threats often involve multiple malicious actors in a series of communications. Don’t be fooled by “the noise”.
  • SMS Text Message Phishing: There has been an uptick in SMS text message phishing because the shortened links are harder to preview/evaluate in text messages.
  • Imposter Emails: Scammers may send emails from compromised accounts or spoof an email address to request immediate action, such as providing sensitive information or purchasing gift cards.

Best Practices

  • Secure Your Device: Secure your device with antivirus software, which will protect you by screening out known malware. 
  • Perform System Updates: Perform system updates on your devices as soon as updates become available. Updates address known vulnerabilities (called zero-day vulnerabilities) that attackers will exploit.
  • Create Strong Passwords: Create long, strong, and unique passwords of 14+ characters for all of your accounts. If your passwords are not all unique, a scammer could potentially do more harm as the password(s) possessed by scammers and all variations will be tried on a variety of sites.
  • Never Disclose or Reuse Your Passwords: Avoid disclosing or reusing your passwords to maintain the security of your accounts.
  • Bookmark Trusted URLs: With the growing prevalence of malicious sites, and their prominence in your search results, it’s a good idea to bookmark known and trusted URLs, and to visit most sites in this way.
  • Limit Information on Social Media: Limit the information you share on social media and review your privacy options regularly, as options change. Information that you share may be used to target you, your employer, or someone that you know.
  • Avoid Clicking Links in Text Messages: Do not click on links in text messages. They are often shortened and more difficult to preview. Instead, visit sites via your bookmarks or a trusted URL.
  • Be Wary of QR Codes Be cautious of QR codes, which if scanned and malicious, may put your personally identifiable information (PII) and data at risk. For more information, see the Download article Don’t Scan a Scam.
  • Avoid Opening Suspicious Attachments or Links: Don’t open attachments or click on links unless you’re expecting the message.
  • Preview Embedded Links: On a desktop or laptop computer, hovering over embedded links will show (on the bottom left of your screen) where that link will actually take you. On iOS devices, pressing and holding on the link (rather than just tapping it) will open a dialog that displays the full URL. If the destination differs from the text in the embedded link or the expected website, the embedded link may be spoofed.
  • Verify Email Senders: Previewing the email address of the sender will display the actual email address from which the message originated as well as the email address to which any reply will be directed. Be suspicious of an email address that is different from what is displayed, or is not the usual contact point for an entity or executive.
  • Confirm Legitimacy of Messages: When in doubt of the legitimacy of a message, do not reply to an email or click on embedded elements or attachments. Instead, confirm the legitimacy of the message by contacting the sender at a trusted phone number.
  • Beware of Fake Job Postings: For students, do not be tricked by scammers attempting to lure you with fake job postings.


  • Your IT support staff will never request your login credentials.
  • If you believe that your email account or credentials have been compromised, immediately reset your password.

Resources and Additional Information

For more information on protecting yourself from phishing, please refer to the following resources:

By staying informed and vigilant, you can protect yourself and your organization from the threats of phishing, spear phishing, and whaling.