Spear Phishing and Whaling
Posted by Gunter Ollmann on June 28, 2007 at 12:10 PM EDT.  

My recent blogs about phishing appear to have driven several discussions about the fundamentals of the scams.  For all its simplicity, over the last decade the term “phishing” has evolved from a particular attack vector into a stratified class of online fraud and deception. This has resulted in a number of colorful names for the various sub-classes and vectors within Phishing.

Last week I had several requests to explain two targeted phishing categories – “Spear Phishing” and “Whaling”. So, while I had a few minutes between meetings I drafted the following descriptions of them and figured I’d share them here on the blog.

Spear Phishing

Spear phishing describes a category of phishing attacks whose target is a particular company, organization, group or government agency.  Contrasted with phishing attacks that make use of large address lists shared with spammers, spear phishers focus on a much smaller subset – often filtering public spam lists with their targets domain, scraping their targets public services for addresses (e.g. message boards, marketing collateral, etc.), or enumeration through more active means (e.g. dumpster diving, spam pinging, etc.).  The most prized addresses being distribution lists such as

Once armed with a list of addresses specific to their quarry, the phishers send email that appear as though it may have come from the employer or someone who would normally send an email message to everyone within the organizational group (e.g. head of marketing and sales, the IT support team, the owner of the message board, etc.).  In reality, the message sender information will have been faked (i.e. spoofed). 
The contents of the message will vary with each attack, but will use any information the phisher can to personalize the scam to as specific a group as possible.  The messages commonly focus upon requesting login credentials (e.g. user name and password) or entice their victims to open infected attachments.

Unlike normal phishing scams whose objective is to steal an individuals online banking credentials, the spear phisher is most often seeking to gain access to the entire network of an organization.  That said, it is not unheard of spear phishers targeting the users of a specific piece of software (e.g. members of a specific “clan” within World of Warcraft) and stealing their login credentials.


The adoption of the term ‘Whaling’ within phishing is fairly new and may have been derived from the use of ‘Whales’ within gambling to refer to big-time gamblers and high rollers, but most likely come from the colloquialism for “big fish”.

Regardless, Whaling describes the most focused type of phishing currently encountered by businesses or government – targeted attacks against groups of high-level executives within a single organization, or executive positions common to multiple organizations (e.g. the CTO or CFO).

In a whaling attack, the phisher focuses upon a very small group of senior personnel within an organization and tries to steal their credentials – preferably through the installation of malware that provides back-door functionality and keylogging.

By focusing upon this small group, the phisher can invest more time in the attack and finely tune his message to achieve the highest likelihood of success.  Note that these messages need not be limited to email.  Some scams have relied upon regular postage systems to deliver infected media – for example, a CD supposedly containing evaluation software from a known supplier to the CIO, but containing a hidden malware installer.


At a high level - using visual metaphors - I suppose you could say that a standard phishing attack is like carpet bombing a few blocks from a B52, while ‘spear phishing’ is more akin to taking out the building by parking a car bomb in the garage underneath, and ‘whaling’ is like sneaking a briefcase bomb in to the company’s board-room.  The more focused the attack, the more precise the information needs to be in order to carry it out.

So, what tips can I offer for protection against spear phishing and whaling? 

  1. If you have suspicions about an email message, contact the person or organization through an alternative channel (e.g. phone, instant messenger) before responding or opening any attachments.
  2. Never provide personal or financial information over email – no matter who appears to have sent it.
  3. Never click on links within emails that appear to be requesting personal or financial information.  Manually type the web address into your Web browser instead if you believe it is ‘probably’ legitimate.
  4. Ensure that you report any suspicious email that could be a spear phishing or whaling message to the appropriate team within your organization.  You may have spotted it, but your colleagues could have been fooled by it.
  5. Make sure that your desktop protection systems are always up to date.  Merely viewing a suspect email or browsing a web address can sometimes result in exploitation.

But you already knew all this right – you’re a security professional, why else would you be reading the X-Force blog? However, do you know who your colleagues would report suspicious emails to? Would your General Manager or CEO recognize a whaling email?

    Copyright 2001-2007 © Gunter Ollmann