Craig McDonald 07 September 2016 15:28:55 AEST 4 MIN READ

Email scam tactics explained: What are phishing, spear phishing and whaling?

Every day, cyber criminals are dreaming up new get-rich-quick schemes. Whether impersonating a popular brand on Facebook, offering bulk followers on Instagram, or trying to deceive a well-meaning accounts worker, it’s hard to escape opportunistic scammers.

Phishing has been around for two decades. But cybercriminals have now upped the stakes, enticed by the idea of a large-scale attempt at a quick payday. Today, they are more focussed on criminal intent than simple annoyance. With email one of the most critical business applications, it is also the entry point to most successful cybercrimes.

Cybercriminals change their methods quickly in the hope of stealing victims’ money, passwords or other potentially-lucrative personal details such as financial information or corporate intellectual property information. Their tactics have a common theme: deception.

So what does phishing, spear fishing or whaling mean?

Put simply, phishing is the practice of sending email to users with the purpose of tricking them into clicking on a link or revealing personal information. Spear phishing and whaling are targeted phishing attacks.

Here’s how to tell each method apart:

What is phishing?

Phishing emails go to a wide group of people without targeting anyone. It’s like a fisherman casting a wide net to see what he can catch. The attackers know that not everyone will respond, but they know that if they send enough emails out, enough people will take the bait.


Example: Attackers often load malicious software onto websites. The malicious code is downloaded as soon as a user visits (called a drive-by download). Attackers can either attack a legitimate site and add their drive-by download, or create their own. They then send out a phishing email or social media post hoping a user clicks. If the user clicks, the drive-by download infects their system.

In other cases, a phishing attack will send the user to a malicious website that appears to the user as a legitimate site. Once there, the user will be asked to enter their username and password.

Example: Attackers send an email to the user indicating that their PayPal account needs to be validated. If the user clicks the link, they’ll be taken to a site that looks very similar to the actual PayPal site, but with a different URL. If the user enters their credentials, the attacker quickly harvests them and goes to action. When attackers get a response, they can log on as the user and hijack the account. If it’s a financial account, they’ll empty it in short order.

Even if it’s solely an email account, many people use the same email address and password to log onto other accounts. The attacker will quickly try to log onto banking and financial sites using your information. Australia Post, Australian Federal Police and ANZ Bank are examples of organisations that have been targeted.

What is spear phishing?

Similar to regular phishing approaches, spear phishing targets a group of people. It might be employees of a specific company, customers of a specific company, or even a specific person. The greeting is likely to be personalised, rather than a generic ‘Dear sir/madam’, and the email is designed to look like it has come from someone familiar. It might falsely appear to be from a colleague who needs an account paid urgently, for example.

Quite often, these emails employ the ‘Sent from my iPhone’ tactic. This is a popular way for scammers to avoid having to falsify a company email signature. It also helps suggest the email has been sent by a contact who’s busy in meetings and unavailable for a chat to clarify the request.


What is whaling?

Whaling targets high-level executives. Whaling scam emails are designed to masquerade as a critical business email, sent from a legitimate business authority. The content is meant to be tailored for upper management, and usually involves some kind of falsified company-wide concern.


As an example, a whaling attack targets senior corporate executives using their actual name, company name, and phone number. The attackers draft an email that looks like an official request from the executive to transfer funds or pay an invoice. These usually take the form of straight text.

Email scams take many forms, but knowing the warning signs will help keep you and your personal information safe and secure.

Keen to know more? Here’s how scammers are damaging big brands in Australia and abroad. Also, discover how whaling, CEO fraud, business email compromise (BEC) and other spear phishing attacks continue to trouble businesses.


Find more tips on identifying email scams by subscribing to MailGuard’s blog.

Keep up to date on the latest email scams by subscribing to MailGuard’s weekly update or follow us on social media.

Keep Informed with Weekly Updates

^ Back to Top