Blog

Spear phishing and Whaling

Spear phishing / Whaling

Spear phishing

What is Spear Phishing?

Spear phishing is a targeted form of phishing. According to the French Ministry of Economy: “this hacking method consists in impersonating someone you know to trap you” by getting you to open a malicious attachment or click on a fraudulent link. Ministère de l’Économie
Unlike broad phishing campaigns, spear phishing “targets specific individuals within a company.” Ministère de l’Économie

How It Works

Cyber attackers perform detailed research on their target so that their message seems legitimate — they gather information through public sources (e.g., social media, company websites) or other intelligence. ANSPro+2DNI+2
They then send a highly personalized email, often pretending to be a trusted contact. Cisco+1
As the UK’s NPSA (National Protective Security Authority) explains: “An adversary will use information sources … to build background knowledge of a target individual … The more information they have … the greater the chance the Spear Phishing email will be seen as a legitimate communication.” ANSPro

Goals and Effects

The attacker’s goal may be to convince the victim to:

  • Open a malicious link or attachment (which can install malware), ANSPro+1
  • Disclose sensitive credentials or data, or
  • Execute some fraudulent transaction.

According to a US Counterintelligence guidance: “Spear phishing … often will include information known to be of interest to the target … to convince the user to open a malicious link or attachment.” DNI
These attacks exploit human traits — for example, the inclination to help, respond to authority, or curiosity about news or financial topics. DNI

Risks

Spear phishing is especially dangerous because it’s very convincing — it bypasses many standard security defenses. ANSPro
Victims risk data theft, financial fraud, or even gaining a broader foothold into an organization’s network. Ministère de l’Économie+1

How to Protect Yourself

Based on the Ministry of Economy’s recommendations:

Whaling (CEO Fraud / Executive Phishing)

What Is Whaling?

Whaling is a specialized type of spear phishing. It specifically targets high-ranking individuals such as CEOs or CFOs. Kaspersky+1
As Kaspersky describes it: attackers “masquerade as a senior player … to directly target senior or other important individuals … with the aim of stealing money or sensitive information.” Kaspersky
On TechTarget: “the attacker’s goal is to manipulate the victim into authorizing high-value wire transfers to the attacker.” TechTarget

Techniques Used

Whaling attacks often use:

  • Email spoofing (making the message appear to come from a legitimate executive) Kaspersky+1
  • Social engineering, based on personal or company-specific details, to make the messages very believable TechTarget
    These emails and even spoofed websites are highly personalized, often including the target’s name, job title, or other relevant information. TechTarget

Risks

Because the targets are high-profile, the stakes are very high:

Defenses

To protect against whaling:

  • Train senior executives on social engineering and phishing risks. TechTarget
  • Put in place strong verification procedures for any financial request (e.g., require calls or in-person validation) TechTarget
  • Use multi-person authorization (i.e., more than one person must validate important transactions) TechTarget

Conclusion

  • Spear phishing is a targeted, personalized phishing attack that exploits trust and research about a specific individual.
  • Whaling is a subset of spear phishing, where the target is a high-value executive.
  • Both rely on social engineering and reconnaissance, and both can be mitigated through training, strong internal processes, and technical defenses.