Tip of the Spear: Phishing or SpearPhishing?

By Todd Salmon ·

Ever wonder what the difference between phishing and spearphishing is?  What about whaling? As someone in the information security business, I get asked about that a lot. Here's a quick overview highlighting those differences.


Phishing attacks are generally exploratory attacks targeted at a broad audience. They usually involve a combination of social engineering and technical deceit in an effort to manipulate victims into opening file attachments or clicking on embedded links in an email. Phishers are trying to obtain sensitive data, personally identifiable information or user/network credentials that can lead them deeper into an organization and closer to the crown jewels. A basic attack is distributed en masse or blasted out like spam.


SpearPhishing is a targeted version of phishing that usually focuses on a specific company and combines tactics such as sender impersonation, personalization of the intended victim, enticement and access-control bypass techniques such as email filters, antivirus, and IDS/IPS evasion. The goal of a spearphishing attack is ultimately the same as a phishing attack—to coerce a target into opening an attachment or clicking an embedded link—but it is much more sophisticated and elaborate.

Spearphishing focuses on specific individuals within specific organizations. Attackers will mine social media sites such as LinkedIn or Facebook and personalize or impersonate users so that the spearphishing email is extremely accurate and compelling. Once a link is clicked or an attachment is opened, the door to the network is established, allowing the attacker to move forward with the advanced targeted attack.

Spearphishing attacks can also be viewed within the context of an Advanced Persistent Threat (APT). Cybercriminals conduct APT attacks via spearphishing through the introduction of malware, Trojans, key loggers, port listeners and multi-vector attacks. The goal of an APT is to establish sustainable, long-term access to an organization’s information assets, and a successful spearphishing attack can readily achieve that goal.


Whaling is very similar to spearphishing, but is a more specific form of attack targeted at corporate upper management with the intent of obtaining confidential company information. Whaling involves the use of an email or webpage that appears legitimate and contains a high sense of urgency. The whaling attack will target individuals by name and is often disguised as a legal subpoena, client complaint or internal executive directive.

The Bottom Line

Whatever you call it, any form of phishing can lead to the compromise of sensitive information.  Perform frequent testing of your security awareness programs to include simulations of spearphishing attacks in order to gauge the effectiveness of your awareness programs and controls that are intended to reduce the likeliness of success from these types of attacks. 

FishNet Security offers customized professional services that can address phishing/spearphishing attack simulations as well as comprehensive training solutions. The most effective defense against these potentially devastating attacks is a combination of testing, training and awareness.