Whale Phishing vs Spear Phishing

You know about phishing attacks, and you have probably taken steps to safeguard against these. But what about whale phishing? What about spear phishing? What do these specific types of phishing attacks mean for your business? Let’s take a look in more detail.

Understanding spear phishing

To understand what spear phishing is and how it affects your business, you first need to think about spear “fishers” — with the more traditional “f” spelling. What does spearfishing involve? Well, spearfishermen carry very precise, very incisive tools — spears — and they dive deep down into the ocean to hunt their prey. When they strike, they strike with precision, at small, specifically chosen targets.

Spear phishers do much the same thing, except they use only figurative — or perhaps digital — spears. In a spear phishing attack, specific members of an organization are targeted, which makes it difficult for industry regulations to protect against this sort of attack. The attacker identifies the team members who can enable access to financial data, sensitive intellectual property, client data, staff data, or any other highly valuable data commodity, and then they strike.

These are highly sophisticated attacks, and they are difficult to get right. This is why spear phishing is more commonly associated with shady, government-sponsored operations. Their prevalence demonstrates how important it is to have a solid security protocol in place, as well as data backup and disaster recovery solutions.

An example of a spear phishing attack:

In 2015, technology company Ubiquiti Networks lost $46.7m as a result of spear-phishing communications that targeted key members of the team. The hackers used “employee impersonation and fraudulent requests from an outside entity” to gain access to the company’s finance department.

Understanding whale phishing, or whaling attacks

In the admittedly niche genre of “whaling literature”, who is the most famous whaling captain of them all? Most will answer “Captain Ahab”, the single-minded pilot of the Pequod whaling vessel in Herman Melville’s 1851 book, Moby Dick. 

Captain Ahab’s quest gives us some insight into what a whaling attack — in the digital sense — looks like. Ahab pursued his enormous target for years, intent on snaring that beast and that beast alone. Modern whale phishers do the same thing, targeting the ultra-high level figures in an organization, and aiming to do as much damage as possible. As a result, they attack areas of the business that may not have undergone penetration testing.

This means going after senior managers, CEOs, other executives, or anyone who holds a great deal of power within a company. Once these individuals have been targeted, a successful whaling attack can yield serious gains for the attacker.

But why are such attacks so successful? After all, executives and upper management are bound by the same security protocols as the rest of the organization, and these are savvy businessmen and women who recognize a fraudulent message when they see one. The answer here is spoofing — the crafting of emails and websites that look so real that they are believed. Have you ever received an email claiming to be from your bank, but something looks off? This is the same technique, except more sophisticated and more believable. Managed IT security services can protect against this, but this approach also requires the vigilance of team members at all levels.

An example of whale phishing in action:

Snapchat is something of a big deal in social media circles, and therefore the company holds a great deal of sensitive user and employee information. This was compromised in 2016 when a high ranking employee received an email, apparently from the CEO.

The “CEO” requested payroll information, which the high ranking employee readily provided. A CEO has a right to access such information, after all. Except it wasn’t a CEO, it was a spoofed email, and a serious data breach occurred. 

Both types of attacks share similarities in their approaches but differ in key ways. It is up to you to make sure you and your team are aware of the threats and take the actions you need to take in order to stay secure.

Get in touch today to learn more.