Access Systems Blog

Spear Phishing and Whaling: What You Need to Know about These Phishing Emails

Feb 5, 2019 4:30:00 PM

Email scams are becoming a more and more common way to attack your business. But phishing emails are among some of the most tricky and deceptive.

In general, cyber attackers send you an email, pretending to be someone you trust. This email can contain malicious links and attachments, or ask for confidential information. With just one wrong click, malware can be released throughout your network infrastructure— all from one phishing email.

Attacks like these mean you and your employees have to remain on high alert.

phishing email

Types of Phishing Attacks

Phishing attacks come in three different varieties: deceptive, spear phishing and whaling.

Most people are used to seeing deceptive phishing emails. They are common and sent to many different people at once. For example, the Internal Revenue Service (IRS) is currently warning people against falling for a new deceptive phishing attack during this tax season. These emails try to gain identification information, such as social security numbers.

While most people know about deceptive phishing attacks, they are unaware of spear phishing and whaling email scams.

Spear Phishing Emails are Highly Targeted

The standard phishing emails are vague and sent to a large swath of people. Spear phishing is the exact opposite.

Instead of catching many fish with a large net, spear phishing is targeting one small group or individual. These emails are so specific and successful that over 90 percent of phishing attacks were spear phishing, according to Trend Micro research.

These phishing emails work, because they use social engineering methods to research their victim. Some social engineering tactics are as basic as searching for you on social media or as unsuspecting as talking to a stranger at the gas station.

When doing their research, cyber attackers are looking for specific information about you, such as the company you work for and your position. This allows them to personalize the email to appear trustworthy.

Because of these highly targeted emails, they often slip through email filters and antivirus making them quite disastrous.

Hand typing on keyboard with digital tech icons and symbols

Spear phishing emails have three common elements:

  1. They are sent from a trusted source and usually appear like they are being sent from an authority figure, usually your boss. Be sure to double check the sender’s email address, as even one missing letter can change everything. If your manager’s actual email is, for example, a phishing email may come from This example is missing letters in the username and the domain, but at first glance looks the same.
  2. ‘Urgent,’ ‘Need Now,’ Marked ‘Important.’ Cyber attackers know how to make a phishing email look urgent. By creating a sense of urgency and the need to act now, victims become flustered. They miss clear signs, especially when they think their boss is upset with them. This means usual phishing tells go overlooked, like coming from the wrong sender or misspellings.
  3. Spear phishing emails ask for sensitive information. The emails ask for personal information like credit card numbers, bank accounts and usernames and passwords for important applications and software. Because of their social engineering, attackers are sure you have access to this information. Leaking this data can completely compromise your business and cybersecurity.

Whaling, Phishing for Executives

Whales are big fish and just like whaling, cyber attackers are going after the big fish of your company — the executives.

Whaling phishing emails target high-level decision makers, such as CEOs and CFOs. Like spear phishing, whaling is targeted specifically for those individuals and that company. These tactics make it easier to trick victims and antivirus software.

Unlike deceptive phishing or spear phishing, whaling’s goal is not to gain access to information or software. Rather,he objective is to achieve a transfer of money. In fact, according to the FBI, CEO email scams is a 12 billion dollar business.


Decision makers constantly get their inbox flooded with unsolicited emails, which is why whaling has to be a highly personalized attack. The email needs to be opened to have any impact. Cyber attackers will use social media, business records— anything to get their email through filters and opened.

Whaling emails rely on impersonating someone an executive will listen to. This can include a:

  • Bank
  • Vendor
  • Important customer

All of these individuals are important to your business, which is no wonder decision makers have been opening whaling emails.

Unlike other phishing attacks, cyber attackers will go to great lengths to see success from their whaling emails. They don’t just use emails. Some whaling campaigns include website spoofs, when attackers create a copycat website — say of a bank— and store that login information for future malicious use.

Protection against a cyber attack

Protect Yourself from Phishing Attacks

It is possible to protect yourself and your business from phishing attacks. Here are three phishing prevention best practices:

  1. Verify the sender whenever there is an email asking for sensitive information, such as account numbers or passwords. You can do this by looking at the sender’s email address closely or simply pick up the phone. A simple phone call to verify the request may feel silly, but it can save your company a lot of time and money.
  2. Check for any misspelling or formatting red flags.It may seem like common sense, but when you are faced with an urgent email or one that is excused with ‘Sent from iPhone,’ spelling mistakes can slip right past you, and phishing attackers know this.
  3. Train against phishing attacks. Education is the best way to deter cyber attacks. Without realizing it, your employees can weaken your network infrastructure. No alarm system can help if the door is kept wide open.

These best practices can save you and your company from future phishing attacks. Assess your company’s level of cybersecurity with this handy checklist.

If you are a law firm, we have a cybersecurity eBook, just for you! We’ll explore how your office can properly utilize its servers and network, help you to develop a disaster planning strategy and more.


Topics: cybersecurity, Email Phishing

Search Articles

    Subscribe Here!

    Recent Posts

    Posts by Tag

    See all