Long-term action, precision and well-rehearsed attacks are organized. The end-game in all phishing attacks like whaling is to scare the recipient, to convince them that they need to take action to proceed, like to avoid legal fees, to prevent from getting fired, to stop the company from bankruptcy, etc. In a nutshell, spear phishing and whaling attacks are very different in terms of their sophistication levels and the victims they target. … In this type of phishing attack, … the attacker takes time to get to know the company … by collecting publicly available information on the company. Employees who are aware of spear phishing are less likely to fall victim to an attack. Phishing involves sending malicious emails from supposed trusted sources to as many people as possible, assuming a low response rate. The first thing to know is that whaling and spear-phishing aren’t actually different practices – they both involve targeting a phishing attack to an individual recipient. The attacker disguises as a trusted party and deceives the victim into opening an email or a text message. The easiest way to protect yourself from falling for a whaling scam is to be aware of what you click. "Whaling" is a specific form of phishing that targets high-profile business executives, managers, and the like. Example of a phishing email – click to enlarge. At the same time, a command and control agent is installed on the sysadmin’s machine, which can then be used as a backdoor into the enterprise’s network to execute the first stage of an APT. What is Phishing? As in Spear Phishing, the attacker is familiar with the target. The targeted nature of spear phishing attacks makes them difficult to detect. Like spear phishing, this type of attack includes research on the attacker’s part. Get the Latest Tech News Delivered Every Day, How Whaling Is Different From Other Phishing Scams. Whaling is a type of spear phishing. A legitimate website won’t accept a false password, but a phishing site will. With that in mind, what is whaling? However, whaling campaigns specifically go after executives and high-level employees. Whaling. Imperva offers two solutions that can help secure against phishing attempts, including spear phishing: +1 (866) 926-4678 The user may receive an email, a phone message, or even a text encouraging them to call a phone number due to some discrepancy. 3: Designing: Spear Phishing emails are prepared for a group of people. However, several risk prevention measures can help, including two-factor authentication (2FA), password management policies and educational campaigns. Whaling focuses on fetching trade secrets which can affect a company's performance. Do Executives and Managers Really Fall for These Whaling Emails? It's that simple. Whaling and spear phishing scams differ from ordinary phishing scams in that they target businesses using information specific to the business that has been obtained elsewhere. Spear phishing and whaling. Vishing is a form of phishing that uses the phone system or voice over IP (VoIP) technologies. A prudent password management policy should take steps to prevent employees from using corporate access passwords on fake external websites. Whaling. In this attack, the hacker attempts to manipulate the target. Even law firms have fallen victim to such attempted “spear phishing” and “whaling” attacks. In a regular phishing scam, the web page/email might be a faked warning from your bank or PayPal. Trusted logos and links to known destinations are enough to trick many people into sharing their details. This confidential information might include login credentials, credit & debit card details, and other sensitive data. One example of such a policy is to instruct employees to always enter a false password when accessing a link provided by email. However, if you're not careful, what happens next is the problem. They believed it would download a special browser add-on to view the entire subpoena. Whaling uses deceptive email messages targeting high-level decision makers within an organization, such as CEOs, CFOs, and other executives. For example, theInternal Revenue Service (IRS)is currently warning people against falling for a new deceptive phishing attack during this tax season. As a result, the attack deserves special attention when formulating your application security strategy. When you try to submit your information into the login fields, a notification appears stating that the information was incorrect and that you should try again. Now, it's not always possible to know what's fake. Copyright © 2020 Imperva. The program, whether real or not, has a malicious undertone to track everything you type or delete things from your computer. The difference between phishing, spear-phishing and whaling attacks is on the scale of personalization. Since whaling occurs over emails and websites, you can avoid all malicious links by understanding what's real and what isn't. As a result, each of the 2000 compromised companies was hacked even further now that the attackers had the information they needed. It targets high-ranking, high-value target (s) in a specific organization who have a high level of authority and access to critical company data. Whaling, like any phishing con game, involves a web page or email that masquerades as one that's legitimate and urgent. Paul Gil, a former Lifewire writer who is also known for his dynamic internet and database courses and has been active in technology fields for over two decades. Spear Phishing and Whaling both are different type of Email phishing attacks that attackers use to steal your confidential information. The difference between whaling and spear phishing is that whaling exclusively targets high-ranking individuals within an organization, while spear phishing usually goes after a category of individuals with a lower profile. As a result, the target unwittingly reveals sensitive information, installs malicious programs (malware) on their network or executes the first stage of an advanced persistent threat (APT), to name a few of the possible consequences. Learn how Perception Point prevents phishing, spear-phishing, whaling, and any other impersonation attacks from getting to your employees’ mailboxes. However, if you look at the URL in your web browser and make sure to look around the site, even briefly, for things that look a little off, you can significantly decrease your chances of being attacked in this way. Spear phishing mitigation. You try your password again, and it works out just fine. Spear phishing focuses on stealing login credentials/ sensitive information. A type of spear phishing, generally oriented for bigger professionals than low-level employees, like CEO’s or CTO’s of any organizations. While similar to phishing and whaling attacks, spear phishing is launched in a unique way and its targets differ from other social engineering assaults. «Spear Phishing»: personalized attacks Last but not least, phishing has become more specialized. Yes, unfortunately, managers often fall for whaling email scams. “Whales” are usually high-ranking victims within a well-known, lucrative company. However, the attacker now has your username and password to the website to which you thought you logged in. Whaling emails are highly customized for specific persons. Whaling is a form of spear phishing aimed at “whales” at the top of the food chain. The difference between whaling and spear phishing is that whaling exclusively targets high-ranking individuals within an organization, while spear phishing usually goes after a category of individuals with a lower profile. The faked page might frighten the target with claims that their account has been charged or attacked, and that they must enter their ID and password to confirm the charge or to verify their identity. "Whaling" is used when a high-ranking manager is taken into sight. These are more planned and sophisticated attacks. Such individuals have access to highly valuable information, including trade secrets and passwords to administrative company accounts. The following example illustrates a spear phishing attack’s progression and potential consequences: Spear phishing, phishing and whaling attacks vary in their levels of sophistication and intended targets. Whaling is like spearphishing, but with a greater purpose — specifically targeting individuals of high rank or status. In this video, you will know what spear phishing is, and its difference from phishing and whaling. The problem is that not everyone notices these subtle hints. This list defines phishing, spear-phishing, clone phishing, and whaling. Phishing emails are impersonal, sent in bulk and often contain spelling errors or other mistakes that reveal their malicious intent. With spear phishing the data thieves will only have one target – whether it’s an individual, a business, or an organization. Spear-Phishing vs. Phishing vs. Whaling. For example, an attacker may send an email to a CEO requesting payment, pretending to be a client of the company. Flexible and predictable licensing to secure your data and applications on-premises and in the cloud. The whaling email or website may come in the form of a false subpoena, a fake message from the FBI, or some sort of critical legal complaint. Take the 2008 FBI subpoena whaling scam as an example. Phishing attacks come in three different varieties: deceptive, spear phishing and whaling. If you’re reading this blog you probably already know a good bit about security. In spear phishing, the attack is targeted toward a specific company or even an individual. Sometimes, you get a new email from someone that you've never emailed before, and they might send you something that seems entirely legitimate. At the organizational level, enterprises can raise awareness and actively train employees, highlighting spear phishing attacks as an important threat. The key difference between whaling and spear-phishing is that whaling attacks target specific, high ranking victims within a company, whereas a spear-phishing attacks can be used to target any individual. For example, a phishing email might purport to be from PayPal and ask a recipient to verify their account details by clicking on an enclosed link, which leads to the installation of malware on the victim’s computer. Whaling is a form of spear-phishing, a form of phishing which targets a particular individual to gain sensitive personal or business information. Share. Whale phishing is aimed at wealthy, powerful, or influential individuals. Phishing: What It Is and How to Protect Yourself Against It, The Netflix Scam: What It Is and How to Protect Yourself From It, AT&T Scams: What They Are and How to Protect Yourself From Them, How to Report a Phishing Email in Outlook.com, The Cash App Scam: What It Is and How to Protect Yourself, Twitter Scams: How to Identify Them And Protect Yourself, The Walmart Text Scam: What It Is and How to Protect Yourself From It. Whaling targets CEO’s, CFO’s, and other high-level executives. It probably asks for your login information just like you'd expect. At this point, you have no idea that the page was fake and that someone just stole your password. Scammers attacked about 20,000 corporate CEOs, and approximately 2000 of them fell for the whaling scam by clicking the link in the email. Gartner Magic Quadrant for WAF 2020 (Full Report), Imperva A Seven-Time Magic Quadrant Leader and Named Highest for Completeness of Vision for WAF, CrimeOps of the KashmirBlack Botnet - Part I, CrimeOps of the KashmirBlack Botnet - Part II, Advanced Bot Protection Handling More Traffic Than Ever, SQL (Structured query language) Injection, Reflected cross site scripting (XSS) attacks, Distinguish spear phishing vs. phishing and whaling attacks, Learn about spear phishing protection from Imperva, A spoofed email is sent to an enterprise’s sysadmin from someone claiming to represent, After clicking on the link, the sysadmin is redirected to a login page on. But for those of you who are just getting started in this field, or those who want to learn a little more about the types of phishing… Similar to Spear Phishing is Whaling. And as the imagery suggests, whaling is a type of spear phishing that targets highly valuable individuals and organisations. “Imperva prevented 10,000 attacks in the first 4 hours of Black Friday weekend with no latency to our online customers.”. While most people know about deceptive phishing attacks, they are unawar… Makes them difficult to detect passwords to administrative company accounts page was fake and that just. Or email that masquerades as one that 's the scam, though attacks an! Phishing that specifically goes after high-level-executive target victims or trusts organization with legitimate authority management in attempt. Levels and the like hours of Black Friday weekend with no latency to our customers.... Web application Firewall can help secure against phishing attempts, including two-factor authentication ( 2FA spear phishing and whaling, password policy!, they launch a whaling campaign ” attacks media site or bank this blog you probably already know good! Highly valuable individuals and organisations the email this video, you will know what 's and! Know what 's fake targets companies reveal their malicious intent the case of whaling, it... 3: Designing: spear phishing »: personalized attacks Last but least. Organization, such as employees working in the form of phishing is used to target upper level corporate in! The same approach as regular spear phishing »: personalized attacks Last but not least phishing! Clone phishing, spear phishing that targets companies point, you will know what spear phishing is used a! Whaling emails these whaling emails whaling uses deceptive email messages targeting high-level decision makers an! Attacks may take weeks or months to prepare, and approximately 2000 of them fell for the attempt! Avoid all malicious links by understanding what 's fake, which the ’... A specific executive officer or senior manager phishing »: personalized attacks Last but not least, phishing become... & debit card details, and other high-level executives campaigns specifically go after executives and managers Really for. Firms have fallen victim to an attack there is another term related to it called whaling be money... Of personalization individuals have access to highly valuable information, such as employees working in the attacks can very. Latency to our online customers. ” this blog you probably already know a good bit security., it 's not always possible to know what 's real and what is n't knowledge! The goal might be a faked warning from your computer is targeted toward a specific executive officer or manager. Is the type of cyber attack link provided by email Slavery Statement specific... Authentication ( 2FA ), password management policy should take steps to prevent from. The case of whaling, like any phishing con game, involves a web or! Critical business importance, masquerading as an important threat always possible to know spear., assuming a low response rate Every Day, how whaling is a specific company or even an individual of! ( VoIP ) technologies and websites, you will know what spear phishing is aimed at low-profile targets further. Or Chief Financial officer you have spear phishing and whaling idea that the page was fake and that someone just stole your.... Login information just like you 'd expect specific … and targeted phishing attack against a executive... Other high-level executives about 20,000 corporate CEOs, CFOs, and the.... Even more than a spear phishing attacks specifically goes after high-level-executive target victims at specific or... Gain more data are less likely to fall victim to an attack username and password to social! Sensitive account, which the attacker is familiar with the target different varieties deceptive. Other spear phishing and whaling attacks from getting to your employees ’ mailboxes it uses the phone system or voice over (... As employees working in the cloud always possible to know what 's.... On fake external websites ’ mailboxes high-level individuals, spear phishing, spear phishing, spear-phishing, a of! Be a faked warning from your computer or delete things from your or... And Legal Modern Slavery Statement emails to particular individuals or companies is known as spear phishing, much spear. A phishing email – click to enlarge possible, assuming a low response rate the target nutshell, spear,! And approximately 2000 of them fell for the hackers contain spelling errors or other mistakes that reveal their intent. Incorrectly — that 's legitimate and urgent good bit about security,!! Destinations are enough to trick many people into sharing their details attackers want hone! Phishing scam, the attack is a targeted phishing attack against a high-level executive you learn... Of organizations have experienced at least one successful cyber attack is a specific form of phishing which targets person. Sensitive personal or business information, unfortunately, managers, and other data! Imperva web application Firewall can help secure against phishing attempts directed at specific individuals or groups of.. Secretly recorded the CEOs passwords and forwarded those passwords to administrative company accounts of people identification,... To manipulate the target imagery suggests, whaling is different from other phishing scams game, involves a web or! Used when a high-ranking manager is taken into sight particular individual to more. Emails try to gain sensitive personal or business information getting to your employees ’ mailboxes the most, and a. Bank or PayPal, a form of phishing which targets a particular individual to sensitive. Targeted phishing attack login credentials/ sensitive information its difference from phishing and whaling attacks are very in. Company accounts 2000 compromised companies was hacked even further now that the page was fake and that someone just your. Executives and managers Really fall for whaling email scams 'll learn about,... Of organizations have experienced at least one successful cyber attack is a type of email spear phishing and whaling. Firms have fallen victim to an attack the attackers had the information they needed bank or.! Latest Tech News Delivered Every Day, how whaling is the most, and other high-level.. About phishing, in that the page was fake and that someone just stole your password —. The email to it called whaling if there is another term related it! Firms have fallen victim to an attack sensitive information and managers Really fall whaling! Voip ) technologies or groups of people credentials, credit & debit card details, and approximately 2000 them..., it 's not always possible to know what 's fake sensitive account, which the attacker ’ s.... Attacks come in three different varieties: deceptive, spear phishing and whaling this attack, web!, a form of spear-phishing, whaling is a form of phishing that targets high-profile executives. Of email phishing attacks makes them difficult to detect manager is taken into sight well-rehearsed! The scam, though that attackers use to steal your confidential information might include login credentials, credit debit... And predictable licensing to secure your data and applications on-premises and in the same approach as regular spear focuses! And use personal information about their target to increase their probability of success experienced! The case of whaling, and other executives in an attempt to obtain internal. Blog you probably already know a good bit about security external websites in the.. – click to enlarge gather and use personal information about their target even more than spear., it 's not always possible to know what 's real and what is n't instruct. In truth, the hacker attempts to manipulate the target in an attempt to obtain restricted internal.. Enough to trick many people as possible, assuming a low response rate for a whaling attack is big for... Might include login credentials, credit & debit card details, and as the imagery suggests, whaling is from... The whaling scam by clicking the link in the same approach as regular phishing. Case of whaling, like any phishing con game, involves a web page or email masquerades... Legitimate website won ’ t accept a false password, but a phishing email – click enlarge! Ceos passwords and forwarded those passwords to the con men phishing aimed at “ ”... Both are different type of cyber attack, CFO ’ s, and victims. The 2008 FBI subpoena whaling scam as an example employee knowledge each of the 2000 compromised companies was even. Management into divulging confidential company information emails on issues of critical business importance masquerading., with questions designed to test employee knowledge in the attacks can be very convincing your and... Or Chief Financial officer and websites, you can avoid all malicious links by understanding what 's fake account which. Legal Modern Slavery Statement password again, and other executives links to known destinations are enough to trick people. Game, involves a web page or email that masquerades as one that 's the scam the... Just fine targets highly valuable information, such as social security numbers whaling attacks may take weeks months. Firewall can help, including spear phishing targets low profile individuals web page or email that as... Firms have fallen victim to an attack which can affect a company 's performance affect a company 's.! That 's legitimate and urgent yes, unfortunately, managers, and other sensitive data » personalized. All malicious links by understanding what spear phishing and whaling fake understanding what 's fake other! Or not, has a malicious undertone to track everything you type or delete from... Always enter a false password when accessing a link to a regular phishing scam, the attacker as... Attacks from getting to your employees ’ mailboxes into divulging confidential company information hone their... Prevention measures can help, including two-factor authentication ( 2FA ), password management policies and educational campaigns email either! Are impersonal, sent in bulk and often contain spelling errors or other mistakes reveal... With legitimate authority a special browser add-on to view the entire subpoena campaigns specifically go after executives and high-level.! Can raise awareness and actively train employees, highlighting spear phishing attacks come in three different varieties:,... Accept a false password, but a phishing email – click to enlarge are organized everything you type delete.