Cyberattacks 101: Spear & Whale Phishing

Phishing, in its most basic form, is when an attacker sends emails that appear to come from a trusted source to trick the victim into giving up information, clicking on a dangerous link, or downloading malicious files. Phishing is a broad term and can take shape in many ways. Email is the primary vehicle for phishing attacks, but it can also include voice phishing, SMS phishing, or instant messaging phishing.

Along with general phishing attacks, hackers will also get more targeted with spear and whale phishing. Let’s take a deeper dive at how these types of attacks can impact you and your organization.

What is spear phishing?

Spear and whale phishing, sometimes referred to together as whaling, refer to more specific forms of phishing campaigns. It’s important to distinguish this type of attack is not necessarily the medium the phishing is taking place in (such as email), but rather how the attackers are carrying out the operation. Let’s start with spear phishing.

Spear phishing refers to cases where the attackers are targeting a specific person, or potentially a small group of people, instead of a wide variety of targets. In a spear phishing attack, the hackers aren’t sending out a mass e-mail blast to hundreds – or maybe thousands – of people. Instead, they’re doing research to try and figure out exactly what their targets are most likely to click on.

By doing this research, the hacker will then be able to create a targeted, individualized phishing campaign using more advanced phishing techniques. For example, if the hacker knows they want to target a specific person in the accounting department at XYZ company, they might create a personalized email spoof with content pertaining to the information they previously researched about the individual. (Caveat: Beware what you share on social media!) The hacker might also clone some legitimate websites they know accounting employees from a specific company use, often to lure their victims into having a false sense of security.

Spear phishing attacks take more time to carry out than regular phishing attacks, but they also tend to be more advanced and, as a result, more effective. Many of us are accustomed to basic phishing emails these days. The “Click here, you’ve won a prize!” emails are too obvious, and most people will automatically identify that as a phishing email.

Because we’ve become acclimated to these basic phishing emails, hackers turn to spear phishing. Those attempts are going to be more credible and less apt to make their victims question if it’s a legitimate email. The spear phishing attempt may not even signal any red flags at all.

What is whale phishing?

Whale phishing, unlike spear phishing, doesn’t necessarily refer to the technique the hacker uses to carry out the attack. Rather, it refers to the target of the attack. Whale phishing attacks are still going after specific individuals, but the focus is more about the targets themselves than the methods used to perpetrate the attack.

In keeping with the theme of phishing, these targets are typically big, high-value fish (like whales). Hence, whale phishing. In other words, hackers will target C-suite executives, other leaders of a company, or even people expected to have higher privileges, like system administrators. Since they are valuable targets, they are likely to have substantial access to the networks within their companies. If carried out successfully, a whale phishing attack will allow the attackers to cast a wider net and easily spread their malware across an entire network.

Another motivator for hackers to target high-level executives is because they are more likely to pay a ransom to conceal a breach to protect their personal reputation or the reputation of their organization. To illustrate this concept, the reputational harm that may be caused from a low-level employee accidentally opening a phishing email could be very different than the reputational harm of a CEO opening the same email. This puts extra pressure on organizations to pay the attackers to keep quiet about an attack, instead of publicizing it and getting the authorities involved.

Cyberthreat Hunting Guide | Protect Your Network

Take a proactive stance against cybercriminals and learn how to hunt potentially malicious network behavior in our complimentary white paper. Download our Cyberthreat Hunting Guide to discover how threat hunting can improve your security posture.

What can we do to stay safe against spear phishing and whale phishing attacks?

Fortunately, spear phishing and whale phishing overlap in many areas, which means our defenses can overlap as well. Some defense tips include:

• Do not open emails from strangers or untrusted sources.
• Only download attachments from safe and expected sources.
• Ask yourself “Am I expecting this email attachment?” and if the answer is no, don’t open it.
• Always hover over links with your cursor to see where they really lead. Today, this can be harder to decipher because lots of hackers will use URL shorteners to render where the link is leading to.
• If there is any doubt in your mind that the email is illegitimate, do not click any part of it.
• Finally, consider reaching out to the sender using another method of communication you do not think could be compromised – like a text or phone call – to verify the message.

Now that you are aware of what spear phishing (targeted, individualized phishing campaign) and whale phishing (high-value targets where the phishing campaign spreads malware across the entire network) attacks are, you will be better equipped to defend against them within your own organization.