Phishing, Spear Phishing, and Whaling

Workplace and personal email have become the most common attack surfaces for opportunistic and targeted phishing scams. The impacts of phishing are many and may include identity theft, intellectual property theft, reputational damage, business shutdowns, monetary loss, loss of trust, or the installation of malware that compromises devices and data, such as ransomware or spyware. According to the 2023 Verizon Data Breach Investigation Report (DBIR), the average cost of a data breach in organizations with 10 – 20,000 employees is 5.56 million dollars, and phishing was named one of the two most common causes of the breaches (the other was compromised credentials).

Phishing scams use social engineering to trick victims into taking actions that are not in their best interest. There are different types of phishing, and phishing may be categorized using terms such as mass-distributed phishing, spear phishing, or whaling. The different categories refer to the distinguishing features and varying methods employed by scammers, but they all have similar goals and are broadly known as phishing attacks.

An added complexity to detecting and avoiding phishing is Artificial Intelligence (AI), which allows scammers to easily create more credible scams and construct phishing messages in different languages, and with fewer errors. These messages often sound and look like they come from known and trusted sources. Malicious messages and websites may be a mixture of social engineering and AI, which may be obvious (voiceless, predictable, detached), or more difficult to detect. The use of AI stresses the importance of legitimacy verification means, other than the internet.

Remember that there are low risks associated with opening email messages; however, actions that may prove problematic happen after opening malicious messages, such as opening attachments, enabling macros, scanning QR codes, clicking embedded links, downloading, or replying to the sender.

Mass-distributed phishing messages are opportunistic attacks that are often delivered via compromised email accounts or mail servers. Although phishing most commonly occurs over email, it may also occur via SMS text messages, downloads, web pop-ups, malicious websites, phone calls, and social media. The goals of phishing messages are to:

Phishing is a type of cyber attack that uses social engineering tactics to deceive individuals into revealing sensitive information, such as usernames, passwords, and credit card details. These attacks are typically carried out through email, but they can also occur via text messages, phone calls, and social media. The goal is to trick the victim into taking actions that compromise their personal information or install malicious software on their devices.

Phishing involves the fraudulent attempt to obtain sensitive information by disguising oneself as a trustworthy entity in electronic communications. A common example of phishing is an email that appears to be from a reputable company, such as a bank or a popular online service, asking the recipient to click on a link to update their account information. The link leads to a fake website that looks identical to the legitimate one, where the victim is prompted to enter their credentials. Once submitted, these credentials are captured by the attacker.

Phishing attacks can be categorized into several types based on their methods and targets. The four main types are:

Email phishing is the most common form of phishing. Attackers send mass-distributed emails that appear to come from reputable sources. These emails often contain urgent messages designed to prompt recipients to click on malicious links or download harmful attachments.

Spear phishing is a targeted form of phishing where attackers customize their messages based on information they have gathered about their victims. These attacks are more personalized and often appear to come from a known and trusted source, making them harder to detect.

Whaling is a type of spear phishing that targets high-profile individuals within an organization, such as executives or senior managers. The aim is to steal sensitive information or trick the target into authorizing large financial transactions. Whaling emails are highly customized and sophisticated.

A phishing attack is considered to occur when an attacker uses deceptive tactics to trick an individual into performing actions that compromise their personal information or security. These actions may include:

Phishing attacks often rely on creating a sense of urgency, fear, or curiosity to prompt victims to act quickly without thinking critically about the legitimacy of the request.

An example is an embedded link in a message that takes you to a spoofed login prompt from which an attacker can steal your login credentials or a login prompt that directs you to a malicious website.

This may occur when attachments are opened, social media updates are clicked, macros are enabled, QR codes are scanned, embedded links are clicked, or software or documents are downloaded. Spyware, ransomware, and other forms of malware can be installed this way, compromising your device and data.

Spear phishing attacks are targeted or “customized” phishing attacks. They tend to target someone they’ve identified with something that they know or suspect to be of relevance or interest. The target may be you, your employer, someone that you know, or a group of people. Spear phishers use the internet—most commonly social media and public websites—to study and harvest information on their target. These messages may address you personally, use a familiar greeting, or appear to come from a colleague, acquaintance, friend, or a higher-up in your organization.

The primary difference between phishing and spear phishing lies in the targeting and personalization of the attacks. Phishing is a broad, often indiscriminate attempt to trick as many people as possible into revealing sensitive information or installing malware. Attackers send out large volumes of generic messages, hoping to catch a few unsuspecting victims.

Spear phishing, on the other hand, is a highly targeted and personalized form of phishing. Attackers focus on a specific individual or organization, tailoring their messages to appear more convincing by using information gathered about the target. This could include the victim’s name, job title, and other personal details obtained through social media, public websites, or previous interactions.

Example 1: CEO Fraud

An employee receives an email that appears to come from the company’s CEO, requesting urgent assistance with a financial transaction. This email creates a sense of urgency and uses the authority of the CEO to pressure the employee into complying without question.

Example 2: Vendor Compromise

A finance department employee receives an email that appears to be from a trusted vendor, asking to update payment details due to a change in banking information. By impersonating a known vendor, the attacker attempts to redirect future payments to their own account.

Spear phishing and spoofing are related but distinct tactics used in cyber attacks:

Spear Phishing: This involves crafting highly targeted and personalized messages aimed at a specific individual or organization. The attacker gathers detailed information about the target to make the message appear legitimate and convincing.

Spoofing: Spoofing involves forging the sender’s address or other parts of the message to make it appear as though it is coming from a trusted source. This can be part of a spear phishing attack, but spoofing itself can also be used in other types of attacks, such as spam or broad phishing attempts.

In essence, spear phishing often uses spoofing techniques to deceive the target, but it goes further by adding a level of personalization and targeting that spoofing alone does not achieve.

Spear phishing is generally considered more dangerous than generic phishing due to several factors:

Higher Success Rate: Because spear phishing attacks are highly personalized and tailored to the victim, they are more convincing and have a higher success rate compared to generic phishing attacks.

Greater Impact: Spear phishing often targets specific individuals with access to valuable information or resources, such as executives, financial officers, or IT administrators. This means that a successful attack can have a significant impact on the organization, leading to financial loss, data breaches, or reputational damage.

Complexity and Sophistication: Spear phishing attacks are more sophisticated and can involve multiple stages and techniques, such as social engineering, reconnaissance, and spoofing. This complexity makes them harder to detect and defend against.

Targeted Nature: The targeted nature of spear phishing means that even highly security-aware individuals can be tricked, as the attacker may exploit specific knowledge about the victim’s habits, relationships, or role within the organization.

Whaling is a type of phishing attack that may also be referred to as “Business Email Compromise” (BEC), or CEO fraud. Whales are high-value targets whose credentials or access to resources have the ability to compromise an organization. Whaling often involves messages that seemingly come from a VIP. These messages target employees and are requests which create a sense of urgency. 

Whaling is a specialized type of phishing attack that targets high-profile individuals within an organization, such as executives, CEOs, CFOs, and other senior management. While phishing is a broad, often indiscriminate attempt to deceive individuals into revealing sensitive information, whaling is highly targeted and aims at “big fish” or “whales” who have access to valuable company information and resources. The sophistication and personalization of whaling attacks make them more dangerous and potentially more damaging than standard phishing attacks.

A whale cyber attack, or whaling attack, is a specific form of phishing aimed at high-ranking executives within an organization. These attacks typically involve meticulously crafted emails that appear to come from trusted sources or use high-level corporate language to deceive the target. The goals of a whale cyber attack often include:

Whaling attacks are characterized by their use of detailed information about the target’s role and the organization, making the fraudulent requests seem legitimate and urgent.

The main targets in whaling phishing attacks are high-level executives and senior managers within an organization. These individuals are chosen because they have access to critical resources and sensitive information that can be exploited by attackers. Common targets include:

By targeting these high-profile individuals, attackers aim to exploit their authority and access to execute fraudulent transactions or gain access to valuable information.

One of the most famous whaling attacks occurred in 2016 and targeted FACC, an Austrian aerospace parts manufacturer. The company fell victim to a sophisticated whaling attack that resulted in the fraudulent transfer of approximately €50 million ($55 million USD).

Details of the Attack:

The impact of this attack was devastating for FACC, leading to the dismissal of both the CEO and CFO and significant financial and reputational damage. This incident highlights the effectiveness and danger of whaling attacks, even against well-established companies with experienced executives.

Attacker Posing as a VIP

An attacker posing as a VIP may request a wire transfer, restricted employee data, or sensitive company data.

An attacker may use a compromised VIP email account or a spoofed VIP email address to send messages to employees. When attackers use a spoofed email address, the visible email address may look correct, but when you hover over it, the email address used to send the message may be different. Another tactic employed by scammers is to spoof an email by using an address similar to the sender’s address. For example, acme-healthfoods.com could be replaced with acme-healthf00ds.com.

Real-life whaling attempts show the intricate changes perpetrators try to make. They might use similar company names, familiar greetings, or even mimic the tone of an executive to create a sense of urgency and legitimacy.

If you receive a message that appears to be from an entity such as your bank or even from someone that you know, and the message does not “sound” right, look familiar, or contains an urgent request, it is recommended that you confirm the legitimacy of the message by using a trusted phone number to contact the sender. Remember, phishers are counting on busy people who review their email quickly and click on embedded links and attachments or scan codes before evaluating a message fully.

Phishers are also counting on people who are eager to take advantage of an offer or fulfill the request of a colleague or VIP and may do so without fully evaluating the communication received. Security technologies, such as antivirus software help, but the best protection against phishing is your own judgment. Therefore, review all communications when you have the time to evaluate them fully, and prior to taking actions such as replying, opening attachments, enabling macros or clicking embedded links. For additional information, please see the notable trends, best practices, reminders, and resources below.

There has been an uptick in QR code phishing which can, among other things, lead to the exfiltration of data on your mobile devices when a QR code is scanned. Malicious QR codes are almost impossible to detect. Scammers can easily exploit legitimate QR codes displayed in public places by overlaying them with malicious codes. Once scanned, the QR code may or may not provide a link to click. Irrespective of whether you click a link, the simple scanning of a malicious QR code can trigger a variety of actions, such as the installation of malware, the adding of a contact, the composing of an email, the opening of a malicious website, or the exfiltration of data. For more information on how QR codes can be exploited, see the Download article Don’t Scan a Scam.

For more information on protecting yourself from phishing, please refer to the following resources:

By staying informed and vigilant, you can protect yourself and your organization from the threats of phishing, spear phishing, and whaling.