Spear phishing, as the name implies, involves attempting to catch a specific fish. A spear phishing email includes information specific to the recipient to convince them to take the action the attacker wants them to take. This starts with the recipient’s name and may include information about their job or personal life that the attackers can glean from various sources.

Whaling is a kind of spear phishing, specifically one that goes after really big fish—think CEOs, board members, celebrities, politicians, etc.

How spear phishing attacks work

Spear phishing attacks don’t just happen out of the blue. Here’s a look at the discrete steps in a typical spear phishing attack.

Infiltration. Like most attacks, spear phishing often starts with compromising an email or messaging system through other means—via ordinary phishing, for instance, or through a vulnerability in the email infrastructure. Once inside the system, an attacker can move to the next step: reconnaissance.

Reconnaissance. How attackers get the personal information they need in order to craft their email is a critical spear phishing technique, as the entire process of the attack depends on the messages being believable to the recipient.

Having gained access to the system, the attacker “sits in the network for a while to monitor and track interesting conversations,” explains Ori Arbel, CTO of CYREBRO, a Tel Aviv-based security operations platform provider. “When the time is right, they email the target using a believable context with insider information, such as bringing up past conversations or referencing specific amounts for a previous money transfer.”