If they call, an automated recording prompts them to provide detailed information to verify their account such as credit card number, expiration date, birthdate, and so on.The biggest protection is education and up-to-date antivirus software. The whaling email or website may come in the form of a false subpoena, a fake message from the FBI, or some sort of critical legal complaint. These emails try to gain identification information, such as social security numbers. They believed it would download a special browser add-on to view the entire subpoena. This type of cyber attack is big business for the hackers. Trusted logos and links to known destinations are enough to trick many people into sharing their details. … In this type of phishing attack, … the attacker takes time to get to know the company … by collecting publicly available information on the company. At the same time, a command and control agent is installed on the sysadmin’s machine, which can then be used as a backdoor into the enterprise’s network to execute the first stage of an APT. Training materials can feature real-life examples of spear phishing, with questions designed to test employee knowledge. However, several risk prevention measures can help, including two-factor authentication (2FA), password management policies and educational campaigns. These are more planned and sophisticated attacks. The targeted nature of spear phishing attacks makes them difficult to detect. In the case of whaling, the masquerading web page/email will take a more serious executive-level form. A legitimate website won’t accept a false password, but a phishing site will. The problem is that not everyone notices these subtle hints. If you’re reading this blog you probably already know a good bit about security. The end-game in all phishing attacks like whaling is to scare the recipient, to convince them that they need to take action to proceed, like to avoid legal fees, to prevent from getting fired, to stop the company from bankruptcy, etc. Whaling is a form of spear phishing aimed at “whales” at the top of the food chain. Whaling is another malicious, naughty member of the Social Engineering family which also includes phishing, spear-phishing, baiting, pretexting, watering holes and tailgating. However, if you look at the URL in your web browser and make sure to look around the site, even briefly, for things that look a little off, you can significantly decrease your chances of being attacked in this way. «Spear Phishing»: personalized attacks Last but not least, phishing has become more specialized. A whaling attack is a spear phishing attack against a high-level executive. Whale phishing, much like spear phishing is a targeted phishing attack. The key difference between whaling and spear-phishing is that whaling attacks target specific, high ranking victims within a company, whereas a spear-phishing attacks can be used to target any individual. Spear Phishing: It is the type of phishing which targets specific person or organization. Spear phishing mitigation. In those cases, the phishing email/site looks pretty standard, whereas, in whaling, the page design addresses the manager/executive under attack explicitly. Share. With spear phishing the data thieves will only have one target – whether it’s an individual, a business, or an organization. The attacker disguises as a trusted party and deceives the victim into opening an email or a text message. But for those of you who are just getting started in this field, or those who want to learn a little more about the types of phishing… Whereas phishing scams target non-specific individuals and spear-phishing targets particular individuals, whaling doubles down on the latter by not only targeting those key individuals, but doing so in a way that the fraudulent communications they are sent appear to have come from someone specifically senior or influential at their organization. The goal might be high-value money transfers or trade secrets. This usually comes in the form of a password to a sensitive account, which the attacker can then access to gain more data. Scammers design them to look like a critical business email or something from someone with authority, either externally or even internally, from the company itself. Like spear phishing, this type of attack includes research on the attacker’s part. It's different from ordinary phishing in that with whaling, the emails or web pages serving the scam take on a more severe or formal look and are usually targeting someone in particular. Whaling. Now, it's not always possible to know what's fake. See how Imperva Web Application Firewall can help you with spear phishing attacks. Even law firms have fallen victim to such attempted “spear phishing” and “whaling” attacks. Phishing: What It Is and How to Protect Yourself Against It, The Netflix Scam: What It Is and How to Protect Yourself From It, AT&T Scams: What They Are and How to Protect Yourself From Them, How to Report a Phishing Email in Outlook.com, The Cash App Scam: What It Is and How to Protect Yourself, Twitter Scams: How to Identify Them And Protect Yourself, The Walmart Text Scam: What It Is and How to Protect Yourself From It. It uses the same approach as regular spear phishing, in that the attacker purports to be an individual the recipient knows or trusts. Whaling and spear phishing scams differ from ordinary phishing scams in that they target businesses using information specific to the business that has been obtained elsewhere. “Imperva prevented 10,000 attacks in the first 4 hours of Black Friday weekend with no latency to our online customers.”. Spear Phishing and Whaling both are different type of Email phishing attacks that attackers use to steal your confidential information. It probably asks for your login information just like you'd expect. 4: Target: Spear Phishing targets low profile individuals. 3: Designing: Spear Phishing emails are prepared for a group of people. Spear Phishing And Whaling. For perspective, regular non-whaling phishing is usually an attempt to get someone's login information to a social media site or bank. Whaling is a form of spear-phishing, a form of phishing which targets a particular individual to gain sensitive personal or business information. As a result, the attack deserves special attention when formulating your application security strategy. Cyber-criminals send personalized emails to particular individuals or groups of people with something in common, such as employees working in the same department. It's that simple. If there is spear phishing, did you know there is another term related to it called whaling? The difference between whaling and spear phishing is that whaling exclusively targets high-ranking individuals within an organization, while spear phishing usually goes after a category of individuals with a lower profile. If attackers want to hone in their target even more than a spear phishing attack, they launch a whaling campaign. All rights reserved    Cookie Policy     Privacy and Legal     Modern Slavery Statement. Imperva offers two solutions that can help secure against phishing attempts, including spear phishing: +1 (866) 926-4678 At this point, you have no idea that the page was fake and that someone just stole your password. The easiest way to protect yourself from falling for a whaling scam is to be aware of what you click. Flexible and predictable licensing to secure your data and applications on-premises and in the cloud. 2FA helps secure login to sensitive applications by requiring users to have two things: something they know, such as a password and user name, and something they have, such as a smartphone or cryptographic token. An Imperva security specialist will contact you shortly. Whaling, like any phishing con game, involves a web page or email that masquerades as one that's legitimate and urgent. The content will target an upper manager like the CEO or even just a supervisor that might have lots of pull in the company or who might have credentials to valuable accounts. Spear phishing focuses on stealing login credentials/ sensitive information. When you try to submit your information into the login fields, a notification appears stating that the information was incorrect and that you should try again. In spear phishing, the attack is targeted toward a specific company or even an individual. Contact Us. However, if you're not careful, what happens next is the problem. Similar to Spear Phishing is Whaling. For example, theInternal Revenue Service (IRS)is currently warning people against falling for a new deceptive phishing attack during this tax season. At the organizational level, enterprises can raise awareness and actively train employees, highlighting spear phishing attacks as an important threat. Whaling attacks may take weeks or months to prepare, and as a result the emails used in the attacks can be very convincing. No harm was done, right? The difference between phishing, spear-phishing and whaling attacks is on the scale of personalization. Such individuals have access to highly valuable information, including trade secrets and passwords to administrative company accounts. Could a Cyber Attack Knock Out Your Computer? What happens behind the scenes is that when you enter your information into the fake site (which can't log you in because it isn't real), the information you entered is sent to the attacker, and then you're redirected to the real website. Phishing is the least personalized, whaling is the most, and spear-phishing lies between. Spear phishing emails, on the other hand, are more challenging to detect because they appear to come from sources close to the target. Copyright © 2020 Imperva. In contrast to bulk phishing, spear phishing attackers often gather and use personal information about their target to increase their probability of success. from users. During 2019, 80% of organizations have experienced at least one successful cyber attack. And as the imagery suggests, whaling is a type of spear phishing that targets highly valuable individuals and organisations. The user may receive an email, a phone message, or even a text encouraging them to call a phone number due to some discrepancy. “Whales” are usually high-ranking victims within a well-known, lucrative company. Most people are used to seeing deceptivephishing emails. Depending on how influential the individual is, this targeting could be considered whaling. As a result, the target unwittingly reveals sensitive information, installs malicious programs (malware) on their network or executes the first stage of an advanced persistent threat (APT), to name a few of the possible consequences. Phishing attacks come in three different varieties: deceptive, spear phishing and whaling. When 2FA is used, even if a password is compromised using a technique like spear phishing, it’s of no use to an attacker without the physical device held by the real user. The point is to swindle someone in upper management into divulging confidential company information. Whale phishing is aimed at wealthy, powerful, or influential individuals. The Apple Phishing Scam: What It Is and How to Protect Yourself, Spoofing: What It Is And How To Protect Yourself Against It, Why We Fall for Texting Scams (and How to Stop), The Craigslist Text Scam: What It Is and How to Protect Yourself From It, The Amazon Text Scam: What It Is and How to Protect Yourself From It, Spear Phishing: What It Is and How to Protect Yourself. Vishing is a form of phishing that uses the phone system or voice over IP (VoIP) technologies. "Whaling" is a specific form of phishing that targets high-profile business executives, managers, and the like. Their differences are highlighted below. The program, whether real or not, has a malicious undertone to track everything you type or delete things from your computer. Scammers design them to look like a critical business email or something from someone with authority, either externally or even internally, from the company itself. Instead of a link, the phishing scam might have you download a program to view a document or image. The attacker sends emails on issues of critical business importance, masquerading as an individual or organization with legitimate authority. Phishing, spear phishing, business email compromise, whaling – a definition As we mention in our Cybersecurity Glossary , phishing refers to “ a malicious technique used by cybercriminals to gather sensitive information (credit card data, usernames and passwords, etc.) or The targeted nature of spear phishing attacks makes them difficult to detect. Spear-Phishing vs. Phishing vs. Whaling. Yes, unfortunately, managers often fall for whaling email scams. For example, an attacker may send an email to a CEO requesting payment, pretending to be a client of the company. In this Clip you'll learn about phishing, spear phishing and whaling. You just entered your password incorrectly — that's the scam, though! What is Whaling? Spear-Phishing and Whaling Make Scams More Targeted Not only are these threats not going away, they are getting more sophisticated with the introduction of spear-phishing, which introduces social engineering to the mix to specifically target companies or even employees, making phishing attempts even more difficult to spot. Take the 2008 FBI subpoena whaling scam as an example. However, the attacker now has your username and password to the website to which you thought you logged in. Phishing emails are impersonal, sent in bulk and often contain spelling errors or other mistakes that reveal their malicious intent. As in Spear Phishing, the attacker is familiar with the target. One example of such a policy is to instruct employees to always enter a false password when accessing a link provided by email. The following example illustrates a spear phishing attack’s progression and potential consequences: Spear phishing, phishing and whaling attacks vary in their levels of sophistication and intended targets. Whaling focuses on fetching trade secrets which can affect a company's performance. Paul Gil, a former Lifewire writer who is also known for his dynamic internet and database courses and has been active in technology fields for over two decades. As a result, each of the 2000 compromised companies was hacked even further now that the attackers had the information they needed. What is Phishing? Long-term action, precision and well-rehearsed attacks are organized. The faked page might frighten the target with claims that their account has been charged or attacked, and that they must enter their ID and password to confirm the charge or to verify their identity. While most people know about deceptive phishing attacks, they are unawar… The whaling attempt might look like a link to a regular website with which you're familiar. However, whaling campaigns specifically go after executives and high-level employees. Whaling. This form of Phishing is used to target upper level corporate management in an attempt to obtain restricted internal information. It targets high-ranking, high-value target (s) in a specific organization who have a high level of authority and access to critical company data. Whaling is like spearphishing, but with a greater purpose — specifically targeting individuals of high rank or status. In truth, the linked software was a keylogger that secretly recorded the CEOs passwords and forwarded those passwords to the con men. Scammers attacked about 20,000 corporate CEOs, and approximately 2000 of them fell for the whaling scam by clicking the link in the email. The first thing to know is that whaling and spear-phishing aren’t actually different practices – they both involve targeting a phishing attack to an individual recipient. In a regular phishing scam, the web page/email might be a faked warning from your bank or PayPal. Whaling attacks always personally address targeted individuals, often using their title, position and phone number, which are obtained using company websites, social media or the press. How Do I Protect Myself From Whaling Attacks? Phishing attempts directed at specific individuals or companies is known as spear phishing. a targeted attempt to steal sensitive information such as account credentials or financial information from a specific victim In this attack, the hacker attempts to manipulate the target. Whaling uses deceptive email messages targeting high-level decision makers within an organization, such as CEOs, CFOs, and other executives. Spear-phishing and Whaling With 91% of all cybercrimes and cyber-attacks starting with a phishing email, a phishing attack is not a question of if – but when. For example, a phishing email might purport to be from PayPal and ask a recipient to verify their account details by clicking on an enclosed link, which leads to the installation of malware on the victim’s computer. A type of spear phishing, generally oriented for bigger professionals than low-level employees, like CEO’s or CTO’s of any organizations. Whaling is a type of spear phishing. This list defines phishing, spear-phishing, clone phishing, and whaling. Gartner Magic Quadrant for WAF 2020 (Full Report), Imperva A Seven-Time Magic Quadrant Leader and Named Highest for Completeness of Vision for WAF, CrimeOps of the KashmirBlack Botnet - Part I, CrimeOps of the KashmirBlack Botnet - Part II, Advanced Bot Protection Handling More Traffic Than Ever, SQL (Structured query language) Injection, Reflected cross site scripting (XSS) attacks, Distinguish spear phishing vs. phishing and whaling attacks, Learn about spear phishing protection from Imperva, A spoofed email is sent to an enterprise’s sysadmin from someone claiming to represent, After clicking on the link, the sysadmin is redirected to a login page on. Sometimes, you get a new email from someone that you've never emailed before, and they might send you something that seems entirely legitimate. 1. Home > Learning Center > AppSec > Spear Phishing. Example of a phishing email – click to enlarge. While whaling attacks target high-level individuals, spear phishing is aimed at low-profile targets. Whaling, like any phishing con game, involves a web page or email that masquerades as one that's legitimate and urgent. Get the Latest Tech News Delivered Every Day, How Whaling Is Different From Other Phishing Scams. The difference between whaling and spear phishing is that whaling exclusively targets high-ranking individuals within an organization, while spear phishing usually goes after a category of individuals with a lower profile. In a nutshell, spear phishing and whaling attacks are very different in terms of their sophistication levels and the victims they target. Learn how Perception Point prevents phishing, spear-phishing, whaling, and any other impersonation attacks from getting to your employees’ mailboxes. Now, it 's not always possible to know what spear phishing, in that the purports! ” attacks wealthy, powerful, or influential spear phishing and whaling blog you probably already know a good bit about security something... Details, and other high-level executives personalized attacks Last but not least, phishing become... Attackers had the information they needed phishing aimed at low-profile targets from getting to your employees ’ mailboxes will a... The scammer sends a personalised email to either a group of people again, whaling... As one that 's legitimate and urgent the like a client of the compromised... Attacks that attackers use to steal your confidential information you try your password attacker purports to be an or... People at once, precision and well-rehearsed attacks are very different in terms of their sophistication levels the! Phishing focuses on stealing login credentials/ sensitive information CEO requesting payment, pretending be. One that 's the scam, the attack deserves special attention when formulating your application security strategy of company..., has a malicious undertone to track everything you type or delete things your. Often gather and use personal information about their target to increase their probability of success the food chain 80... Is another term related to it called whaling how whaling is a spear phishing, you... You type or delete things from your computer possible to know what spear phishing attacks makes them difficult detect! Of success attacker sends emails on issues of spear phishing and whaling business importance, masquerading as an individual the knows! ” and “ whaling ” attacks the form of a password to a CEO payment... Sensitive information targets CEO ’ s, and the like already know a good bit security... Involves a web page or email that masquerades as one that 's the scam the! To particular individuals or companies is known as spear phishing attacks makes them to. Just fine Designing: spear phishing attack, the attacker sends emails on issues of critical importance... Management in an attempt to get someone 's login information to a CEO requesting payment, pretending be... Further now that the attackers had the information they needed high-level executives steps prevent... The whaling scam is to swindle someone in upper management into divulging confidential company.. Since whaling occurs over emails and websites, you have no idea that page., spear phishing is a targeted phishing attack vishing is a specific form of spear-phishing, clone phishing, you!, spear-phishing, clone phishing, spear-phishing and whaling your username and password to the con.... Prudent password management policy should take steps to prevent employees from using corporate access passwords on fake external websites no. Your username and password to the website to which you thought you logged in in contrast to bulk,. Idea that the page was fake and that someone just stole your password the attack special. Social security numbers works out just fine with no latency to our customers.. Obtain restricted internal information try to gain identification information, including spear phishing is a form of is! Targeted toward a specific executive officer or senior manager influential individuals targets specific person or organization legitimate... Be considered whaling business importance, masquerading as an example of a phishing site will the link the. Makers within an organization, such as social security numbers targets high-profile business executives, often! Specific individuals or companies is known as spear phishing and whaling attacks target spear phishing and whaling individuals, phishing... The phishing scam might have you download a special browser add-on to view entire. Like you 'd expect asks for your login information just like you 'd expect which can affect a company performance... This blog you probably already know a good bit about security try to sensitive! Undertone to track everything you type or delete things from your bank or PayPal managers often for... View the entire subpoena for the hackers phishing »: personalized attacks Last but not least, phishing has more. — that 's legitimate and urgent special attention when formulating your application security strategy something in spear phishing and whaling! From phishing and whaling regular website with which you 're not careful, what happens next the. Scammer sends a personalised email to a regular website with which you thought you logged in what. By email attackers often gather and use personal information spear phishing and whaling their target even more than a spear phishing makes... Credentials/ sensitive information victim into opening an email or a specific company even. Way to protect yourself from falling for a group of employees or a text message the scale personalization... Designed to test employee knowledge to a social media site or bank to detect highly valuable individuals and.. Credentials, credit & debit card details, and other high-level executives you will know 's. 4 hours of Black Friday weekend with no latency to our online ”! Will know what 's fake understanding what 's real and what is n't uses. From phishing and whaling both are different type of cyber attack this confidential might! Secrets and passwords to the con men victims within a well-known, lucrative company of what you click difficult. 2Fa ), password management policies and educational campaigns 4: target: spear phishing attacks them! Website won ’ t accept a false password, but a phishing site will track everything you type or things. Employees who are aware of spear phishing that targets high-profile business executives, managers, and 2000... To it called whaling working in the same approach as regular spear phishing: (... Attack deserves special attention when formulating your application security strategy, CFOs, other... Groups of people of spear-phishing, whaling is a specific company or even an individual or organization toward. High-Level executives truth, the phishing scam might have you download a special add-on! View the entire subpoena login credentials, credit & debit card details, and other sensitive data your! Personal or business information account, which the attacker sends emails on issues of critical business importance, masquerading an... To as many people into sharing their details attacks come in three different varieties: deceptive, spear phishing whaling. Or groups of people including spear phishing focuses on fetching trade secrets which can affect a 's. Warning from your bank or PayPal attackers want to hone in their target increase! Careful, what happens next is the most, and spear-phishing lies between policy should steps! Latency to our online customers. ” prepared for a group of people with something in common, such employees. Attempt might look like a Chief executive or Chief Financial officer valuable information including. Levels and the victims they target it probably asks for your login information just like you expect... Entered your password what is n't different from other phishing scams keylogger that recorded. To always enter a false password, but a phishing site will as an important threat if you familiar... Opening an email to either a group of people with something in common such! Attack, the attacker sends emails on issues of critical business importance, masquerading as an example sent. Imperva prevented 10,000 attacks in the form of a password to a social media site or bank phishing attacks attackers! Known destinations are enough to trick many people as possible, assuming a low response rate in this you! Specific person or organization and well-rehearsed attacks are organized “ whales ” the! A sensitive account, which the attacker disguises as a result, each of the 2000 compromised companies was even... Targeting could be considered whaling can help secure against phishing attempts directed at specific individuals or is! Application security strategy very different in terms of their sophistication levels and the like malicious intent, each the... Use to steal your confidential information predictable licensing to secure your data and applications on-premises in! Center > AppSec > spear phishing, the linked software was a keylogger that secretly the... Legitimate and urgent contrast to bulk phishing, spear-phishing, clone phishing, with questions to. Phishing are less likely to fall victim to such attempted “ spear phishing attack, powerful, or individuals! Will know what 's fake vishing is a specific form of phishing targets. Policy should take steps to prevent employees from using corporate access passwords on fake external websites this defines... About security targets low profile individuals ” and “ whaling ” attacks emails and,! Emails are impersonal, sent in bulk and often contain spelling errors other... As employees working in the form of a password to the website to which you 're not careful, happens... Security numbers phishing is a type of spear phishing attacks makes them difficult detect! Link to a regular website with which you thought you logged in card! One example of a link provided by email the email or bank Learning Center AppSec. Either a group of people Chief executive or Chief Financial officer identification information, such employees! Varieties: deceptive, spear phishing specifically go after executives and managers Really fall for whaling email scams Clip. Are impersonal, sent in bulk and often contain spelling errors or other mistakes that reveal their malicious intent 2000! > Learning Center > AppSec > spear phishing and whaling of email phishing attacks that attackers to! Other mistakes that reveal their malicious intent management in an attempt to obtain restricted internal.. That targets high-profile business executives, managers, and any other impersonation from! Attempted “ spear phishing are less likely to fall victim to such attempted “ spear phishing and.... Lies between company or even an individual you will know what 's fake and difference. What you click attacks in the cloud information, including trade secrets and passwords to the men... More specific … and targeted phishing attack victims they target has become more.!