It’s important to understand how phishing, spear phishing and whale phishing are related, primarily because the terms are often used interchangeably, incorrectly or without context.

Phishing is any fraudulent email, text message or phone call designed to trick users into downloading malware (through a malicious link or file attachment), sharing sensitive information, sending money to criminals or taking other actions that expose themselves or their organizations to cybercrime.

Anyone with a computer or smartphone has probably received a bulk phishing attack, which is basically a form message that appears to be from a well-known business or organization, describes a common or credible situation and demands urgent action, such as Your credit card has been declined. Please click the link below to update your payment information. Recipients who click the link are taken to a malicious website that might steal their credit card number or download malware to their computers.

A bulk phishing campaign is a numbers game. Attackers send messages to as many people as possible, knowing that some percentage will be tricked into taking the bait. One study detected over 255 million phishing messages during a six-month period in 2022 (link resides outside ibm.com). According to IBM’s Cost of a Data Breach 2022 report, phishing was the second most common cause of data breaches in 2022 and the most common method for delivering ransomware to victims.

Spear phishing is a phishing attack that targets a specific individual or group of individuals within an organization. Spear phishing attacks are typically launched against mid-level managers who can authorize payments or data transfers, including accounts payable managers and human resources directors, by an attacker masquerading as a coworker with authority over the target, or as a colleague (vendor, business partner, advisor) that the target trusts.

Spear phishing attacks are more personalized than bulk phishing attacks and require more work and research. But the extra work can pay off for cybercriminals. For example, spear phishers stole more than USD 100 million from Facebook and Google between 2013 and 2015 by posing as legitimate vendors and tricking employees into paying fraudulent invoices (link resides outside ibm.com).

A whale phishing or whaling attack is a spear phishing attack that is aimed exclusively at a high-level executive or official. The attacker typically impersonates a peer within the target’s organization, or an equal or higher-level colleague or associate from another organization.

Whale phishing messages are highly personalized. Attackers take great pains to impersonate the writing style of the actual sender and, when possible, reference context of ongoing actual business conversations. Whale phishing scammers will often spy on conversations between the sender and the target; many will try to hijack the sender’s actual email or text messaging account to send the attack message directly from there, for the ultimate in authenticity.

Because whaling attacks target individuals who can authorize larger payments, they offer the potential of a higher immediate payoff for the attacker.

Whaling is sometimes equated with business email compromise (BEC), another type of spear phishing attack in which the attacker sends the target a fraudulent email that appears to come from a coworker or colleague. BEC is not always whaling (because it frequently targets lower-level employees), and whaling is not always BEC (because it doesn't always involve email), but many of the most costly whaling attacks also involve BEC attacks. For example:

• In 2015, Ubiquity Networks lost nearly USD 47 million in just 17 days (link resides outside ibm.com)  when whale phishing attackers impersonating the company’s CEO and Chief Counsel sent emails convincing the Chief Accounting Officer to make a series of wire transfers to finance a secret acquisition.
  
  
• In 2018, Pathe Film Group lost EUR 19.2 million (USD 21 million) (link resides outside ibm.com) when scammers pretending to be the CEO at Pathe’s headquarters in France emailed the CEO of Pathe’s Netherlands office, requesting wire transfers to fund an acquisition.
  
  
• Also in 2018, attackers impersonating the CEO, senior executives and legal counsel of the Italian firm Tecnimont SpA tricked the leader of the company’s Indian business unit into transferring INR 1.3 billion (USD 18.25 million) to a bank in Hong Kong (link resides outside ibm.com), also ostensibly to fund an acquisition. As part of this scam, attackers took the extra step of staging several fake conference calls to discuss the details of the "acquisition."

Phishing, spear phishing and whale phishing are all examples of social engineering attacks or attacks that primarily exploit human vulnerabilities rather than technical vulnerabilities to compromise security. Because they leave much less digital evidence than malware or hacking, these attacks can be much more difficult for security teams and cybersecurity professionals to detect or prevent.

Most whaling attacks aim to steal large sums of money from an organization by tricking a high-level official into making, authorizing or ordering a wire transfer to a fraudulent vendor or bank account. But whaling attacks can have other goals, including:

• Stealing sensitive data or confidential information. This can include theft of personal data, such as employee payroll information or customers’ personal financial data. Whale phishing scams can also target intellectual property, trade secrets and other sensitive information.
  
  
• Stealing user credentials. Some cybercriminals will launch a preliminary whale phishing attack to steal email credentials so they can start a subsequent whale phishing attack from a hijacked email account. Others use the credentials to gain high-level access to assets or data on the target’s network.
  
  
• Planting malware. A relatively small portion of whale phishing attacks try to trick targets into spreading ransomware or other malware by opening a malicious file attachment or visiting a malicious website.

Again, most whale phishing attacks are motivated by greed. But they can also be motivated by a personal vendetta against an executive or a company, competitive pressures or social or political activism. Whaling attacks against high-ranking government officials can be acts of independent or state-sponsored cyberterrorism.

Cybercriminals choose a whale with access to their goal and a sender with access to their whale. For example, a cybercriminal who wants to intercept payments to a company’s supply chain partner might send the company’s CFO an invoice and request for payment from the supply chain partner’s CEO. An attacker wanting to steal employee data might pose as the CFO and request payroll information from the VP of human resources.

To make the senders’ messages credible and convincing, whaling scammers thoroughly research their targets and senders along with the organizations where they work.

Thanks to the amount of sharing and conversation people conduct on social media and elsewhere online, scammers can find much of the information they need just by searching social media sites or the web. For example, by simply studying a potential target’s LinkedIn profile, an attacker can learn the person’s job title, responsibilities, company email address, department name, names and titles of coworkers and business partners, recently attended events and business travel plans.

Depending on the target, mainstream, business and local media can provide additional information, such as rumored or completed deals, projects out for bid and projected building costs that scammers can use. Hackers can often craft a convincing spear phishing email with just some general Google searching.

But when preparing for a whale phishing attack, scammers will often take the important extra step of hacking the target and sender to gather additional material. This can be as simple as infecting the target’s and sender’s computers with spyware that enables the scammer to view file contents for additional research. More ambitious scammers will hack into the sender’s network and gain access to the sender’s email or text messaging accounts, where they can observe and insert themselves into actual conversations.

When it’s time to strike, the scammer will send the attack message(s). The most effective whale phishing messages appear to fit within context of an ongoing conversation, include detailed references to a specific project or deal, present a credible situation (a social engineering tactic called pretexting) and make an equally credible request. For example, an attacker masquerading as the company CEO might send this message to the CFO:

Per our conversation yesterday, attached is an invoice from the lawyers handling the BizCo acquisition. Please pay by 5 p.m. ET tomorrow as specified in the contract. Thanks.

In this example, the attached invoice may be a copy of an invoice from the law firm, modified to direct payment to the scammer’s bank account.

To appear authentic to the target, whaling messages may incorporate multiple social engineering tactics including:

• Spoofed email domains. If attackers can’t hack into the sender’s email account, they’ll create look-alike email domains (bill.smith@cornpany.com for bill.smith@company.com). Whaling emails may also contain copied email signatures, privacy statements and other visual cues that make them appear authentic at a glance.
  
  
• A sense of urgency. Time pressure—references to critical deadlines or late fees—can drive the target to act faster without careful consideration of the request.
  
  
• Insistence on confidentiality. Whaling messages often contain instructions such as please keep this to yourself for now to keep the target from going to others who might question the request.
  
  
• Voice phishing (vishing) backup. Increasingly, phishing messages include phone numbers the target can call for confirmation. Some scammers follow up phishing emails with voice mail messages that use an artificial intelligence-based impersonation of the alleged sender’s voice.