Phishing Scams: Spear Phishing vs Whaling

Phishing scams are the most common scam impacting Australians. Australians lost more money to scammers in 2017 than in any other year since reporting began by the ACCC.

So, what is phishing?

A phishing scam is where users are asked to divulge sensitive information such as usernames, passwords and credit card details. Examples include fake security notice warnings where users are warned about “unusual log-in activity”.

These messages pretend to come from legitimate businesses, normally banks, other financial institutions (e.g. PayPal), or telecommunication providers.

The phishing scams can look extremely sophisticated and convincing. There is usually some form of call-to-action tricking us into divulging sensitive personal information such as passwords or bank details.

There are several types of phishing scams. In this post, we’ll look at the difference between two common types: spear phishing and whaling.


Spear phishing

Spear phishing is a much more targeted attack in which hackers know which specific individuals or organisations they are after.

While ‘phishing’ casts a wide net and hopes to gather data from a wide set of people, spear phishing is an attempt to gather data from an identified target.

Spear phishers are after valuable data such as confidential information and business secrets. The cyber criminals do research on the target to make the attack more personalised and to increase their chance of success.

Think of spear phishing as professional phishing.



Whaling follows on from the idea of spear phishing. The key difference is that the targets are even more carefully selected. They are often senior executives such as CEOs or CFOs as they have complete access to sensitive data.

It’s called ‘whaling’ because of the size of the targets relative to those of typical phishing scams. This type of scam is also known as CEO Fraud or Executive Fraud.

Whaling attacks are more difficult to detect than typical phishing attacks because they are so highly personalised and are only sent to the selected target within an organisation.

Download our Executive Fraud Response Checklist here.


How to avoid phishing scams

You may not be able to prevent your staff from being targeted by cyber criminals but there are steps you can take to reduce the likelihood that these attacks will be successful.

One of the most important steps you can take is to educate your staff on how to recognise phishing scams and malicious attacks.

At Huon IT, we offer an effective 12-month Cybersecurity Awareness Training program. This program is extremely successful in reducing your company’s risk. For more details, click here.

Some other steps you can take:

  • Never send out personal sensitive information via email.
  • Verify the contact details of the sender by calling the organisation directly. Find their details through other methods such as search them online.
  • Look for the secure symbol on their website (https versus http).
  • Update your security software, change passwords and back-up content regularly.
  • Consider what personal and business information you post on social media. Scammers use publicly available information to identify potential whaling and spear phishing victims.

To discuss how to best protect your business, contact us here.

Security & Networking