Phishing, Spear-phishing, and Whaling

Phishing is a deceptive way to obtain sensitive information. Spear-phishing is a targeted way to attack systems within a particular organization using email addressed to specific individuals. Spear-phishing and whaling are very similar, but the target of the attack differs. Read this article, which explains methods of phishing, spear-phishing, and whaling. What is the purpose of whaling, and who is its target?

Spear phishing

Phishing attempts directed at specific individuals or companies is known as spear phishing. In contrast to bulk phishing, spear phishing attackers often gather and use personal information about their target to increase their probability of success.

The first study of social phishing, a type of spear phishing attack that leverages friendship information from social networks, yielded over 70 percent success rate in experiments.

Within organizations, spear phishing targets employees, typically executives or those that work in financial departments that have access to financial data.

Threat Group-4127 (Fancy Bear) used spear phishing tactics to target email accounts linked to Hillary Clinton's 2016 presidential campaign. They attacked more than 1,800 Google accounts and implemented the domain to threaten targeted users.


The term whaling refers to spear phishing attacks directed specifically at senior executives and other high-profile targets. In these cases, the content will be crafted to target an upper manager and the person's role in the company. The content of a whaling attack email may be an executive issue such as a subpoena or customer complaint.

Creative Commons License This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.

Last modified: Thursday, December 3, 2020, 5:10 PM