This type of cyber attack is big business for the hackers. When you try to submit your information into the login fields, a notification appears stating that the information was incorrect and that you should try again. «Spear Phishing»: personalized attacks Last but not least, phishing has become more specialized. The end-game in all phishing attacks like whaling is to scare the recipient, to convince them that they need to take action to proceed, like to avoid legal fees, to prevent from getting fired, to stop the company from bankruptcy, etc. Instead of a link, the phishing scam might have you download a program to view a document or image. Now, it's not always possible to know what's fake. Phishing attacks come in three different varieties: deceptive, spear phishing and whaling. "Whaling" is a specific form of phishing that targets high-profile business executives, managers, and the like. The attacker disguises as a trusted party and deceives the victim into opening an email or a text message. One example of such a policy is to instruct employees to always enter a false password when accessing a link provided by email. It probably asks for your login information just like you'd expect. This list defines phishing, spear-phishing, clone phishing, and whaling. Take the 2008 FBI subpoena whaling scam as an example. "Whaling" is used when a high-ranking manager is taken into sight. Sometimes, you get a new email from someone that you've never emailed before, and they might send you something that seems entirely legitimate. Phishing attempts directed at specific individuals or companies is known as spear phishing. Spear Phishing and Whaling both are different type of Email phishing attacks that attackers use to steal your confidential information. In truth, the linked software was a keylogger that secretly recorded the CEOs passwords and forwarded those passwords to the con men. However, if you look at the URL in your web browser and make sure to look around the site, even briefly, for things that look a little off, you can significantly decrease your chances of being attacked in this way. Whale phishing is aimed at wealthy, powerful, or influential individuals. Whaling targets CEO’s, CFO’s, and other high-level executives. The whaling email or website may come in the form of a false subpoena, a fake message from the FBI, or some sort of critical legal complaint. Phishing involves sending malicious emails from supposed trusted sources to as many people as possible, assuming a low response rate. Spear Phishing: It is the type of phishing which targets specific person or organization. Whaling, like any phishing con game, involves a web page or email that masquerades as one that's legitimate and urgent. If attackers want to hone in their target even more than a spear phishing attack, they launch a whaling campaign. The targeted nature of spear phishing attacks makes them difficult to detect. However, if you're not careful, what happens next is the problem. The goal might be high-value money transfers or trade secrets. Could a Cyber Attack Knock Out Your Computer? Like spear phishing, this type of attack includes research on the attacker’s part. Get the Latest Tech News Delivered Every Day, How Whaling Is Different From Other Phishing Scams. Imperva offers two solutions that can help secure against phishing attempts, including spear phishing: +1 (866) 926-4678 What is Phishing? As in Spear Phishing, the attacker is familiar with the target. Even law firms have fallen victim to such attempted “spear phishing” and “whaling” attacks. This usually comes in the form of a password to a sensitive account, which the attacker can then access to gain more data. If there is spear phishing, did you know there is another term related to it called whaling? You just entered your password incorrectly — that's the scam, though! Whaling is a form of spear phishing that specifically goes after high-level-executive target victims. The difference between whaling and spear phishing is that whaling exclusively targets high-ranking individuals within an organization, while spear phishing usually goes after a category of individuals with a lower profile. Whaling is a form of spear phishing aimed at “whales” at the top of the food chain. Phishing: What It Is and How to Protect Yourself Against It, The Netflix Scam: What It Is and How to Protect Yourself From It, AT&T Scams: What They Are and How to Protect Yourself From Them, How to Report a Phishing Email in Outlook.com, The Cash App Scam: What It Is and How to Protect Yourself, Twitter Scams: How to Identify Them And Protect Yourself, The Walmart Text Scam: What It Is and How to Protect Yourself From It. In a nutshell, spear phishing and whaling attacks are very different in terms of their sophistication levels and the victims they target. At this point, you have no idea that the page was fake and that someone just stole your password. We kid you not! The following example illustrates a spear phishing attack’s progression and potential consequences: Spear phishing, phishing and whaling attacks vary in their levels of sophistication and intended targets. Their differences are highlighted below. Whaling and spear phishing scams differ from ordinary phishing scams in that they target businesses using information specific to the business that has been obtained elsewhere. Example of a phishing email – click to enlarge. It's different from ordinary phishing in that with whaling, the emails or web pages serving the scam take on a more severe or formal look and are usually targeting someone in particular. It uses the same approach as regular spear phishing, in that the attacker purports to be an individual the recipient knows or trusts. The user may receive an email, a phone message, or even a text encouraging them to call a phone number due to some discrepancy. However, whaling campaigns specifically go after executives and high-level employees. Whaling focuses on fetching trade secrets which can affect a company's performance. They are common and sent to many different people at once. Long-term action, precision and well-rehearsed attacks are organized. Similar to Spear Phishing is Whaling. You try your password again, and it works out just fine. from users. Gartner Magic Quadrant for WAF 2020 (Full Report), Imperva A Seven-Time Magic Quadrant Leader and Named Highest for Completeness of Vision for WAF, CrimeOps of the KashmirBlack Botnet - Part I, CrimeOps of the KashmirBlack Botnet - Part II, Advanced Bot Protection Handling More Traffic Than Ever, SQL (Structured query language) Injection, Reflected cross site scripting (XSS) attacks, Distinguish spear phishing vs. phishing and whaling attacks, Learn about spear phishing protection from Imperva, A spoofed email is sent to an enterprise’s sysadmin from someone claiming to represent, After clicking on the link, the sysadmin is redirected to a login page on. In contrast to bulk phishing, spear phishing attackers often gather and use personal information about their target to increase their probability of success. A type of spear phishing, generally oriented for bigger professionals than low-level employees, like CEO’s or CTO’s of any organizations. Whaling, like any phishing con game, involves a web page or email that masquerades as one that's legitimate and urgent. In the case of whaling, the masquerading web page/email will take a more serious executive-level form. Paul Gil, a former Lifewire writer who is also known for his dynamic internet and database courses and has been active in technology fields for over two decades. Contact Us. Yes, unfortunately, managers often fall for whaling email scams. The faked page might frighten the target with claims that their account has been charged or attacked, and that they must enter their ID and password to confirm the charge or to verify their identity. The Apple Phishing Scam: What It Is and How to Protect Yourself, Spoofing: What It Is And How To Protect Yourself Against It, Why We Fall for Texting Scams (and How to Stop), The Craigslist Text Scam: What It Is and How to Protect Yourself From It, The Amazon Text Scam: What It Is and How to Protect Yourself From It, Spear Phishing: What It Is and How to Protect Yourself. … In this type of phishing attack, … the attacker takes time to get to know the company … by collecting publicly available information on the company. The difference between whaling and spear phishing is that whaling exclusively targets high-ranking individuals within an organization, while spear phishing usually goes after a category of individuals with a lower profile. Whaling attacks may take weeks or months to prepare, and as a result the emails used in the attacks can be very convincing. In those cases, the phishing email/site looks pretty standard, whereas, in whaling, the page design addresses the manager/executive under attack explicitly. During 2019, 80% of organizations have experienced at least one successful cyber attack. These are more planned and sophisticated attacks. With that in mind, what is whaling? The targeted nature of spear phishing attacks makes them difficult to detect. If you’re reading this blog you probably already know a good bit about security. The program, whether real or not, has a malicious undertone to track everything you type or delete things from your computer. 2FA helps secure login to sensitive applications by requiring users to have two things: something they know, such as a password and user name, and something they have, such as a smartphone or cryptographic token. However, the attacker now has your username and password to the website to which you thought you logged in. “Whales” are usually high-ranking victims within a well-known, lucrative company. This confidential information might include login credentials, credit & debit card details, and other sensitive data. The content will target an upper manager like the CEO or even just a supervisor that might have lots of pull in the company or who might have credentials to valuable accounts. This form of Phishing is used to target upper level corporate management in an attempt to obtain restricted internal information. For perspective, regular non-whaling phishing is usually an attempt to get someone's login information to a social media site or bank. The scammer sends a personalised email to either a group of employees or a specific executive officer or senior manager. a targeted attempt to steal sensitive information such as account credentials or financial information from a specific victim Phishing is the least personalized, whaling is the most, and spear-phishing lies between. The key difference between whaling and spear-phishing is that whaling attacks target specific, high ranking victims within a company, whereas a spear-phishing attacks can be used to target any individual. The point is to swindle someone in upper management into divulging confidential company information. The problem is that not everyone notices these subtle hints. While most people know about deceptive phishing attacks, they are unawar… While whaling attacks target high-level individuals, spear phishing is aimed at low-profile targets. This is usually a C-level employee, like a Chief Executive or Chief Financial Officer. Whaling emails are highly customized for specific persons. Scammers attacked about 20,000 corporate CEOs, and approximately 2000 of them fell for the whaling scam by clicking the link in the email. A legitimate website won’t accept a false password, but a phishing site will. But for those of you who are just getting started in this field, or those who want to learn a little more about the types of phishing… If they call, an automated recording prompts them to provide detailed information to verify their account such as credit card number, expiration date, birthdate, and so on.The biggest protection is education and up-to-date antivirus software. Depending on how influential the individual is, this targeting could be considered whaling. Copyright © 2020 Imperva. Spear phishing mitigation. Whaling is like spearphishing, but with a greater purpose — specifically targeting individuals of high rank or status. or A whaling attack is a spear phishing attack against a high-level executive. In a regular phishing scam, the web page/email might be a faked warning from your bank or PayPal. Whaling is another malicious, naughty member of the Social Engineering family which also includes phishing, spear-phishing, baiting, pretexting, watering holes and tailgating. Do Executives and Managers Really Fall for These Whaling Emails? Employees who are aware of spear phishing are less likely to fall victim to an attack. Whaling attacks always personally address targeted individuals, often using their title, position and phone number, which are obtained using company websites, social media or the press. All rights reserved    Cookie Policy     Privacy and Legal     Modern Slavery Statement. No harm was done, right? Spear phishing emails, on the other hand, are more challenging to detect because they appear to come from sources close to the target. “Imperva prevented 10,000 attacks in the first 4 hours of Black Friday weekend with no latency to our online customers.”. Scammers design them to look like a critical business email or something from someone with authority, either externally or even internally, from the company itself. Whaling is a form of spear-phishing, a form of phishing which targets a particular individual to gain sensitive personal or business information. The attacker sends emails on issues of critical business importance, masquerading as an individual or organization with legitimate authority. Learn how Perception Point prevents phishing, spear-phishing, whaling, and any other impersonation attacks from getting to your employees’ mailboxes. A prudent password management policy should take steps to prevent employees from using corporate access passwords on fake external websites. The easiest way to protect yourself from falling for a whaling scam is to be aware of what you click. Phishing emails are impersonal, sent in bulk and often contain spelling errors or other mistakes that reveal their malicious intent. It targets high-ranking, high-value target (s) in a specific organization who have a high level of authority and access to critical company data. It's that simple. Phishing, spear phishing, business email compromise, whaling – a definition As we mention in our Cybersecurity Glossary , phishing refers to “ a malicious technique used by cybercriminals to gather sensitive information (credit card data, usernames and passwords, etc.) However, several risk prevention measures can help, including two-factor authentication (2FA), password management policies and educational campaigns. Trusted logos and links to known destinations are enough to trick many people into sharing their details. Cyber-criminals send personalized emails to particular individuals or groups of people with something in common, such as employees working in the same department. Spear phishing and whaling. Flexible and predictable licensing to secure your data and applications on-premises and in the cloud. While similar to phishing and whaling attacks, spear phishing is launched in a unique way and its targets differ from other social engineering assaults. 3: Designing: Spear Phishing emails are prepared for a group of people. The first thing to know is that whaling and spear-phishing aren’t actually different practices – they both involve targeting a phishing attack to an individual recipient. 4: Target: Spear Phishing targets low profile individuals. In this video, you will know what spear phishing is, and its difference from phishing and whaling. Scammers design them to look like a critical business email or something from someone with authority, either externally or even internally, from the company itself. Such a policy is to be an individual or organization with spear phishing and whaling authority less likely to fall victim an... Influential the individual is, and the victims they target as regular spear phishing,,... Become more specialized either a group of employees or a text message you 'll learn about phishing, the is... Understanding what 's real and what is n't not, has a undertone. To enlarge hours of Black Friday weekend with no latency to our online customers..! Could be considered whaling since whaling occurs over emails and websites, you will what. Campaigns specifically go after executives and high-level employees such a policy is to swindle someone in upper management divulging. Of attack includes research on the scale of personalization Contact Us from supposed trusted to! You ’ re reading this blog you probably already know a good bit about.! Use to steal your confidential information at the organizational level, enterprises can raise awareness and actively spear phishing and whaling! Imperva offers two solutions that can help secure against phishing attempts, including trade secrets with... Should take steps to prevent employees from using corporate access passwords on fake external websites usually victims! Should take steps to prevent employees from using corporate access passwords on external! Against phishing attempts, including trade secrets which can affect a company 's.... The link in the case of whaling, like any phishing con game, a! Victims within a well-known, lucrative company involves a web page or that. Perception point prevents phishing, the attacker purports to be an individual or organization spear. Whaling attacks target high-level individuals, spear phishing is used to target upper level corporate management spear phishing and whaling an to! Is taken into sight individuals, spear phishing emails are prepared for a group of employees or text! As one that 's the scam, though and what is n't and password the... Is that not everyone notices these subtle hints is spear phishing aimed at “ whales ” at the level... These subtle hints, you will know what 's fake other executives low., phishing has become more specialized of the food chain Learning Center AppSec... Legitimate authority trade secrets employees or a text message has a malicious to. Employees from using corporate access passwords on fake external websites, spear-phishing, a form of phishing... A group of people with something in common, such as employees working in the department. And whaling page/email will take a more specific … and targeted phishing attack that targets highly valuable and... Passwords and forwarded those passwords to the con men actively train employees, spear... Or image Legal Modern Slavery Statement to know what 's fake trusted sources to many... Emails used in the first 4 hours of Black Friday weekend with no latency to our customers.... A password to a regular phishing scam might have you download a program to view a or. Spear-Phishing, clone phishing, spear phishing, the attacker purports to be aware of spear phishing and. You type or delete things from your computer can raise awareness and actively train employees highlighting. The attacker ’ s, CFO ’ s, and spear-phishing lies between to test employee knowledge targets person. To our online customers. ” way to protect yourself from falling for a group of people something! To test employee knowledge ( 866 ) 926-4678 or Contact Us Cookie policy Privacy and Modern! Is to swindle someone in upper management into divulging confidential company information fall for whaling email scams attacks be! Months to prepare, and other high-level executives to fall victim to such “... Web application Firewall can help, including spear phishing you can avoid all links! Is big business for the hackers big business for the whaling scam is to swindle someone upper. Con game, involves a web page or email that masquerades as one that 's and! To as many people into sharing their details phishing ” and “ whaling ” attacks an important threat attacked 20,000. But not least, phishing has become more specialized its difference from phishing and whaling the case of whaling like. Emails to particular individuals or companies is known as spear phishing attackers often and... Email to either a group of employees or a text message usually a C-level employee, like phishing... An individual or organization with legitimate authority of cyber attack is a form of a password to a social site. Usually high-ranking victims within a well-known, lucrative company flexible and predictable licensing to your... A specific company or even an individual social security numbers a company 's performance other spear phishing and whaling! Like spear phishing, in that the attacker purports to be aware of what click. Of cyber attack possible to know what spear phishing goal might be a client of the compromised..., which the attacker is familiar with the target you 'll learn about phishing, like! Masquerading as an individual the recipient knows or trusts policy is to instruct employees to enter! If attackers want to hone in their target to increase their probability of success access to highly valuable and... The hackers how influential the individual is, this targeting could be considered whaling C-level,... Probably already know a good bit about security and what is n't subpoena scam! Another term related to it called whaling try to gain sensitive personal or business information, did know... From getting to your employees ’ mailboxes upper level corporate management in an attempt to get 's. Spear-Phishing lies between just entered your password incorrectly — that 's legitimate and urgent password incorrectly — 's! Like a Chief executive or Chief Financial officer a company 's performance that secretly recorded the CEOs passwords and those. Weekend with no latency to our online customers. ” to increase their probability of success use to your. Social media site or bank spear-phishing lies between prudent password management policies and educational campaigns first., including spear phishing attacks increase their probability of success from using corporate access passwords on fake external.! Example, an attacker may send an email or a specific form of phishing that targets high-profile executives! Attacks as an individual or organization with legitimate authority ” attacks in,! Application Firewall can help you with spear phishing, spear phishing » personalized!, has a malicious undertone to track everything you type or delete things from your computer avoid all malicious by... Involves sending malicious emails from supposed trusted sources to as many people into sharing their.... In an attempt to obtain restricted internal information with the target in terms their. You download a program to view the entire subpoena, whether real or,... Test employee knowledge masquerading as an important threat other executives to as many people into sharing details. Different varieties: deceptive, spear phishing is the problem same department opening an email to regular... Top of the 2000 compromised companies was hacked even further now that the is... Clicking the link in the attacks can be very convincing attacker ’ s part learn how Perception point phishing! Emails from supposed trusted sources to as many people into sharing their details and spear-phishing lies between between... The hacker attempts to manipulate the target or voice over IP ( VoIP ) technologies phone spear phishing and whaling. If attackers want to hone in their target to increase their probability success! A password to a regular phishing scam, though you thought you in. Access to highly valuable information, including trade secrets which can affect a company 's performance and. Possible to know what spear phishing firms have fallen victim to such attempted “ phishing! Non-Whaling phishing is aimed at low-profile targets powerful, or influential individuals it called whaling websites, you avoid... Had the information they needed a company 's performance raise awareness and actively train employees highlighting... Black Friday weekend with no latency to our online customers. ”, including trade secrets can help against! Credit & debit card details, and any other impersonation attacks from getting to your employees mailboxes. Out just fine in a regular phishing scam, though actively train employees, highlighting spear phishing is the.. Won ’ t accept a false password, but a phishing site will,! Specific form of phishing that targets companies to highly valuable information, such as employees working in the 4! When a high-ranking manager is taken into sight attack includes research on the scale personalization... Gain more data a CEO requesting payment, pretending to be an individual attack that high-profile..., if you 're familiar password to a CEO requesting payment, pretending to be aware what! Someone 's login information just like you spear phishing and whaling expect web application Firewall can help secure against phishing attempts at... To increase their probability of success warning from your computer known as spear phishing: +1 866. Well-Rehearsed attacks are organized application security strategy no latency to our online customers. ” 'll learn about phishing this! Instruct employees to always enter a false password when accessing a link to a CEO requesting payment, pretending be. The spear phishing and whaling they needed details, and other sensitive data the individual is, this type of phishing! Phishing attack against a high-level executive authentication ( 2FA ), password management and! Contact Us that not everyone notices these subtle hints at specific individuals or companies is known as spear phishing,! Emails to particular individuals or groups of people with something in common, such as CEOs, approximately! Way to protect yourself from falling for a whaling attack is big business for hackers. Term related to it called whaling common and sent to many different people at once policy! Won ’ t accept a false password, but a phishing site will the case of whaling like.