Spear phishing / Whaling
1.Spear phishing
– What is Spear Phishing?
Spear phishing is a targeted form of phishing. According to the French Ministry of Economy: “this hacking method consists in impersonating someone you know to trap you” by getting you to open a malicious attachment or click on a fraudulent link.
Unlike broad phishing campaigns, spear phishing “targets specific individuals within a company.”
– How It Works
Cyber attackers perform detailed research on their target so that their message seems legitimate — they gather information through public sources (e.g., social media, company websites) or other intelligence.
They then send a highly personalized email, often pretending to be a trusted contact.
As the UK’s NPSA (National Protective Security Authority) explains: “An adversary will use information sources … to build background knowledge of a target individual … The more information they have … the greater the chance the Spear Phishing email will be seen as a legitimate communication.”
– Goals and Effects
The attacker’s goal may be to convince the victim to:
– Open a malicious link or attachment (which can install malware),
– Di sclose sensitive credentials or data, or
– Execute some fraudulent transaction.
According to a US Counterintelligence guidance: “Spear phishing … often will include information known to be of interest to the target … to convince the user to open a malicious link or attachment.”
These attacks exploit human traits — for example, the inclination to help, respond to authority, or curiosity about news or financial topics.
– Risks
Spear phishing is especially dangerous because it’s very convincing — it bypasses many standard security defenses.
Victims risk data theft, financial fraud, or even gaining a broader foothold into an organization’s network.
– How to Protect Yourself
Based on the Ministry of Economy’s recommendations:
– Keep your system updated (to patch security vulnerabilities)
– Be suspicious of file attachments with risky extensions (.exe, .bat, .vbs…)
– Use a non-administrative user account for daily use
– Carefully check links before clicking; prefer typing URLs directly, and make sure they begin with « https »
– Use antivirus software or a firewall
– Enable spam filters / anti-spam tools in your email client
2.Whaling (CEO Fraud / Executive Phishing)
– What Is Whaling?
Whaling is a specialized type of spear phishing. It specifically targets high-ranking individuals such as CEOs or CFOs.
As Kaspersky describes it: attackers “masquerade as a senior player … to directly target senior or other important individuals … with the aim of stealing money or sensitive information.”
On TechTarget: “the attacker’s goal is to manipulate the victim into authorizing high-value wire transfers to the attacker.”
– Techniques Used
Whaling attacks often use:
– Email spoofing (making the message appear to come from a legitimate executive)
– Social engineering, based on personal or company-specific details, to make the messages very believable
These emails and even spoofed websites are highly personalized, often including the target’s name, job title, or other relevant information.
– Risks
Because the targets are high-profile, the stakes are very high:
– Unauthorized large financial transfers
– Exposure of sensitive corporate data
– Gaining access to internal systems
– Defenses
To protect against whaling:
– Train senior executives on social engineering and phishing risks.
– Put in place strong verification procedures for any financial request (e.g., require calls or in-person validation)
– Use multi-person authorization (i.e., more than one person must validate important transactions)
3.Conclusion
– Spear phishing is a targeted, personalized phishing attack that exploits trust and research about a specific individual.
– Whaling is a subset of spear phishing, where the target is a high-value executive.
– Both rely on social engineering and reconnaissance, and both can be mitigated through training, strong internal processes, and technical defenses.
(techtarget.com)
(economie.gouv.fr)
(kaspersky.com)