2.8.2 Spear Phishing and Whaling

Whereas phishing randomly sends thousands of emails in hopes of tricking a few people into divulging their sensitive information, spear phishing targets specific groups of people. The emails are branded as coming from retailers, banks, universities, or their own employer that the people already have relationships with so they are more likely to trust that the emails are legitimate. The attacker has gained access to data within those companies so they have at a minimum the names and email addresses of the potential victims, yet could have much more information. The email sounds as if the sender knows the relationship with the receiver: “Thank you for your recent purchase”, “To all employees”, or “Attention: USC alumni class of 1980”. The sender’s address and URL that appears in the web browser appear to be legitimate and may even be someone that the victim knows, such as the CEO of their company.

As with phishing, anyone receiving these emails should never act on them by clicking on links, opening or downloading attachments, replying, or calling phone numbers contained within them. Some web browsers have phishing filers or plug-ins can be installed.

Whaling is spear phishing for a single large fish, i.e. someone with great wealth or power. The payoff would be potentially much greater if this person is tricked. The email sent is very personal using information that the attacker finds online or through the company Intranet. It could appear to be from a colleague, partner, customer, friend, or family member. The person is often tricked into opening an attachment which contains embedded code that allows the attacker to remotely take control of the victim’s computer.