Since 2004, 95% of all business compromises in the US have been caused by whaling and spear phishing. Spear phishing and whaling rely on finding vulnerabilities in email and software channels to gain access inside a company. It’s been a problem for almost twenty years, so knowing about the red flags is key for fraud prevention – as are examples of what to watch out for. Whaling vs. spear phishing: read on to get the full breakdown!
Trustpair blocks the effects of whaling and spear phishing by continuously controlling payments before they’re executed. Contact an expert to learn more!
Whaling and spear phishing, a definition
Whaling and spear phishing are often used interchangeably, and they are very similar forms of cyber fraud. But knowing the differences can help your firm identify attacks and protect employees at all levels.
What is whaling?
Whaling refers to the targeting of high-profile people, such as top-level executives and even celebrities.
Attackers craft their strategies with just a single person in mind to target, rather than groups of similar individuals. Because they are high-profile, there is ample online information about these people. The perpetrators perform lots of research about their targets before attempting whaling. This way, the attempt can be as specific and look as legitimate as possible.
A famous example of fraud by whaling happened to Scouler, a commodities trading company, in 2015.
Here, the attackers targeted a high-profile individual– the corporate controller. He was approached by a spoofed version of the CEO’s account, and told to keep the information under wraps since it was an “acquisition deal”. Because the fraudsters knew so much about the corporate controller and his relationship with the CEO, they were able to extract a $17 million payment for a fake acquisition deal.
What is spear phishing?
Alternatively, spear phishing refers to the targeting of a specific group of people within an organization, who all meet specific criteria. For example, cyberattackers might target all those with the ability to make and approve payments.
Alongside online research, the perpetrators may also hack into the targets’ email system through business email compromise (BEC), or the system of a third party. This way, they can understand how team members interact and use the same words or phrases in their spear phishing attempts. Again, this helps to make the entire spear phishing attack seem genuine, with more chance that the victims will comply.
A high-profile example of spear phishing occurred to Snap, the tech company in 2016. Instead of cash, the fraudsters wanted information.
They concocted an impersonation scam targeting the majority of the HR department by pretending to be the CEO. Here, each employee gave information such as their payroll data and W-2 records in what concluded to be a huge data breach.
Now, there’s no telling when the fraudsters could commit identity theft. The company has given employees two years of free insurance against this crime as compensation for the breach.
Whaling vs spear phishing: key differences
Hopefully, it’s now a little easier to understand what whaling and spear phishing mean. But what are the specific differences between the two techniques?
- Targets
- Value and aims
- Techniques
Targets
In whaling, the target is usually one person. This individual is high-profile, and there is a lot of information that can be found online to be used against them. For example, the CEO of a corporation might be a target for whaling.
In spear phishing, the target is anyone within an organization that meets the criteria of the perpetrators. For example, it might be anyone with permission to access the company bank account, or the account managers for a certain client.
The attackers behind spear phishing might complete online research, but they could also get inside access to company information. Sometimes, this happens through hacking and other times, they might have a contact inside the organization to extract confidential information.
Value and aims
Whaling targets are very high-value, with the attackers expecting a high yield from any successful attacks. Because these attacks are individual, the value is usually higher than spear phishing attempts. Moreover, it’s likely that the victim will only fall for the ruse once, so the yield must be high.
Instead, spear phishing yields are generally lower. That’s because there are more victims to target and often, the fraudsters go back for multiple attempts over a period of time. This way, there’s a higher likelihood of success but for lower amounts of money or data.
Techniques
Because spear phishing perpetrators need to know who is qualified to meet their criteria, they’re much more likely to infiltrate a company before their attack. This gives the cybercriminals the right information to accurately impersonate known third parties.
For example, spear phishers might access a legitimate vendor, a personal email account for an employee, or a third-party supplier like the landlord. Then, they can copy the words and phrases to appear more genuine and target the right decision-makers.
On the other hand, whaling perpetrators rely heavily on the information they find online. They might dig through social media accounts, use company websites, and trawl through online databases to get their information.
Here’s a table to recap the differences between spear phishing and whaling:
Variable | Whaling | Spear Phishing |
Target | High-profile individuals with lots of information online, such as celebrities or top execs | Low profile groups that meet specific responsibility criteria such as being able to approve payments – the attackers don’t know much else |
Value | High-yield (large amounts of money or highly sensitive information) | Lower yield – aiming for credentials or access but with the chance for multiple attacks once the “door is open” |
Techniques | Online research about the targets, phishing and spoofing | Online research plus hacking for internal systems knowledge, business email compromise (BEC) |
Attacker Aims | Gain a one-time payout or access highly-sensitive information for further activities like blackmail | Gain multiple payouts over the course of time after building trust with the target |
Learn all there is to know about fraud in business by downloading our latest fraud report!
Whaling vs spear phishing: key similarities
Of course, there are actually more similarities than differences when it comes to whaling and spear phishing.
Both methods:
- Are highly targeted and require good research
- typically go through the same channels, such as email (BEC) or phone (vishing)
- Rely on social engineering tactics to appear genuine and convince the victim into taking a specific action
- Have impacts that can be prevented through automated payments monitoring or fraud detection software
How can you protect your business against whaling and spear phishing?
Protecting your business from whaling and spear phishing isn’t easy. In fact, the FBI estimates that US businesses have lost over $12 million in the past five years due to this type of attack. But there are several measures you can take:
- Fraud awareness training: hold sessions to give your employees the most up-to-date information on fraudster’s techniques, trending scams, when to be suspicious, and how to report fraud. You could teach your employees to hover over links in emails instead of clicking as this will show if the URL gets redirected.
- Upgrade email spam filters: prevent phishing fraudsters from getting into your system in the first place by installing stronger spam filters. These can detect spoof emails, show warnings if senders are suspicious, and prevent the emails from even making it into your colleagues’ inboxes in the first place.
- Automate your systems to prevent manipulation: the most robust method for anti-whaling and spear phishing is by validating all of the payments in your system. This way, no matter if one of your employees has been duped, the payment would be automatically blocked in real-time.
Software like Trustpair can verify payment details and see when accounts don’t match. If a spear phishing perpetrator dupes your colleague into a false invoice payment, for example, we can block the payment instantly so it never leaves your account.
With a 100% success record against fraudsters, we can secure your business: get your Trustpair Demo.
To Recap:
- Whaling and spear phishing are both malicious email attacks where the hackers’ aim is to install malware, access data (like personal information), or make a financial transfer.
- Whaling targets high-profile people, but spear phishing targets those who meet certain criteria inside an organization.
- Trustpair can block the impacts of both attacks with automated account validation before payments are executed.