Spear Phishing and Whaling

Spear phishing attacks are phishing attacks that are customized to exploit an individual target. Typically, spear-phishing attacks are used for high-value targets. Even the savviest professional can fall victim to spear-phishing attacks.

Learning Objectives

You should be able to:

  • Differentiate a spear-phishing attack from a regular phishing attack
  • Craft a spear-phishing email
  • Describe whaling

Phishing and Spear Phishing

Phishing is an attack that uses email to solicit information or action from a victim. Many phishing emails are generic and easy to detect. Below is a sample phishing email.

Dear Customer,

We have recently detected fraud on your account. Please
reply to this email with your username and password so 
that we can refund all fraudulent transactions. If you 
do not reply within 24 hours, your account will be 
deleted and you will be responsible for reimbursing all 
fraudulent transactions.

Sincerely,
The Security Department
eBay.com

The generic phishing email is addressed to a vague "Customer" instead of a named individual. The email does not include any relevant fraud details. These kinds of emails are sent out by the millions in hopes that a few people fall victim to the attack.

Spear phishing is a technique where social engineers specifically craft phishing emails for individuals. A sample spear-phishing email might look like the following.

Hi Sally Jones!

I am the new Assistant to the Youth Soccer President.
Your daughter Jenny's soccer team had to have its 
tournament schedule updated. The construction at Looper
 Fields is causing a lot of havoc for everybody. Please
 run the attached program to see the new schedule.

Thanks for your patience while we get everything ready
for the tournament!

Sincerely,
Doug Bonk
Assistant to the Youth Soccer President

In the email above, the social engineer used social media to learn the following:

  • Sally has a daughter named Jenny
  • Jenny plays on a youth soccer team
  • There is an upcoming soccer tournament in which Jenny will play
  • The tournament will take place at Looper Fields
  • There is construction happening at Looper Fields

With that information, a social engineer can craft a convincing email. If Sally is a high-value target, social engineers will spend a lot of time learning about her so that they can craft attacks specifically for her.

Whaling

Whaling is an extension of spear phishing attacks. Whales are high-value targets. These could be company presidents, employees with access to sensitive information, wealthy individuals, or anybody else with access to something desirable that attackers want.

Whales will be attacked with the most persistent and sophisticated attacks. While practices like using strong passwords, running anti-malware, and using multi-factor authentication is important for everybody, it is especially important for whales.

Reflection

  • Why are spear-phishing emails so effective?
  • How would you protect yourself against spear-phishing attacks?

Key Terms

  • Spear Phishing: A targeted phishing attack aimed at a specific individual or organization. Unlike generic phishing attacks, spear phishing involves personalized messages that appear to come from a trusted source, making them more convincing. The goal is to trick the recipient into revealing sensitive information, such as login credentials or financial details, or to install malware.
  • Whaling: A type of spear phishing attack that targets high-profile individuals within an organization, such as executives, CEOs, or other senior officials. Whaling attacks are highly customized and often involve detailed research to craft convincing messages that exploit the authority and access of the targeted individuals. The objective is usually to steal sensitive information, commit fraud, or gain access to critical systems.