Spear phish, whale phish, regular phish: What's the difference?

Spear phish, whale phish, regular phish: What’s the difference?

There are many types of phishing attack nowadays, to the extent it can be tricky to keep up with them all. We have unique names for mobile attacks, postal attacks, threats sent via SMS and many more besides. However, we often see folks mix up their spears and their whales, and even occasionally confuse them with regular phish attempts. We’re here to explain exactly what the difference between all three terms is.

What is a phishing attack?

Think of this as the main umbrella term for all phishing attempts. It doesn’t matter if it’s a spear, a whale, a smish or a vish, or anything else for that matter. They’re all able to be grouped under the banner of “phishing”. This is where someone tries to have you login on an imitation website. This site may emulate your bank, or a utility service, or even some form of parcel delivery.

They get you on the site in the first instance by sending a fake email, or text, or some other missive. The bogus message will emulate the real thing, and may be very convincing in terms of looking like the genuine article. They may also use real aspects of the actual website inside the email.

The phishing page, too, may steal real images or text from the genuine website. It’ll ask you for logins, or payment details, or both. Depending on what the phishers intend to do with stolen accounts, you may find they change your logins too.

What is spear phishing?

Regular phishing attacks are blasted out to random recipients in their hundreds, thousands, or hundreds of thousands. The sky is the limit. The attackers are hoping that if just a few people respond, they’ll be able to make their ill-gotten gains pay off. It’s potentially low risk, high reward.

Spear phishing, by contrast, is when the phisher targets specific people. It could be individuals, or people at a certain business. The intent may be financial, or it could be a nation state attack targeting folks in human rights, or legal services, or some other sensitive occupation.

What is whaling?

Whaling is the gold standard for targeted phish. They’re the biggest and most valuable people or organisations to go after. “Whales” are typically CEOs or other people crucial to the running of a business. They’ll have access to funds or be deeply embedded in payment processes/authorisation.

CEO/CFO fraud, where scammers convince employees that the CEO/CFO needs large sums of money wired overseas, is common. This is also more broadly known as a business email compromise scam.

The only way you’ll likely run into this attack if you’re not a CEO/CFO/similar is if you work in a department tied to money transfers. For example, in payroll, or some other financial aspect of the organisation. You’ll need to keep an eye out for bogus wire transfer requests, and the business should have processes and safeguards in place to combat CEO/CFO fraud attempts.

Further reading

We have a longer guide to avoiding spear phishing here. We also have a more general guide to detecting phishing attacks, which will hopefully help keep you safe from harm no matter what variety of phish you’re facing.