Spear Phishing vs. Phishing vs. Whaling: Key Differences and Similarities
Phishing differs from spear phishing in origin, scale, psychology, technology, and costs.
Phishing is defined as a fraudulent campaign where a hacker sends out a mass email to business users or consumers, posing as a reputable company/party to win the recipient’s trust, create a sense of urgency, and incite the recipient to divulge credential information or send money. Spear phishing, on the other hand, is defined as a fraudulent campaign where a hacker or someone with malicious intent gets hold of the contact details of an individual or a group of individuals who have privileged access. This article discusses the differences and similarities between phishing and spear phishing in detail.
What Is Phishing?
Phishing is a fraudulent campaign where a hacker or someone with malicious intent sends out a mass email to business users or consumers, posing as a reputable company/party to win the recipient’s trust, create a sense of urgency, and incite the recipient to divulge credential information or send money.
Generic phishing is not very sophisticated and relies on the credibility of the entity it mimics to trigger a response from the recipient. You could consider generic phishing as a sort of “spray and pray” attack, where the attacker reaches out to a very large group of users in the hope that a few individuals will respond.
For example, a hacker might set up a website spoofing a Microsoft URL and send out emails to a database of known Microsoft 365 users that they have obtained from the dark web or a third-party data reseller.
The communication would look something like this:
Suspicious Activity Detected Please
reset your password to maintain access to your account.
OR
Limited time upgrade to <new paid Microsoft product>.
Enter your credit card details to activate.
Some users will double-check the email with official Microsoft sources or with a colleague and immediately detect its fraudulent nature. But those who don’t could click on the URL, thereby getting redirected to a fraudulent website that collects their login credentials or banking information. If a thousand users are targeted through a generic phishing campaign, ten or perhaps fewer would respond.
In comparison, spear phishing is far more targeted. It assumes privileged knowledge or access on the part of the recipient, thereby increasing its chances of getting data or money out of the victim.
What Is Spear Phishing?
Spear phishing is a fraudulent campaign where a hacker or someone with malicious intent gets hold of the contact details of an individual or a group of individuals who have privileged access. The hacker uses the knowledge of their personal contexts to craft a message that has the highest possibility of garnering a response.
Spear phishing is a subset of the general phishing category of cybersecurity attacks. But it is significantly more sophisticated, well thought out, and dangerous. Not only does the hacker know exactly who they are targeting, but they also use their knowledge of the intended victim to personalize the email message in a manner that a person will be very likely to click or respond. By using targeted information like the reseller’s name and the date of license purchase, the hacker increases the chances of getting a response.
Continuing our previous example, the hacker could target a single company’s IT administrators instead of a random database of Microsoft 365 users. The hacker would pose as the company’s selected reseller for greater credibility and not just a generic Microsoft representative.
The message may look something like this:
Your license hasn’t been renewed since <actual date of license purchase> – pay now to avoid deactivation.
As you can see, spear phishing and phishing operate on similar principles, but there are several points of difference.
Recommended by LinkedIn
5 Key Differences Between Spear Phishing and Phishing
Phishing differs from spear phishing in five ways – phishing is much older, it targets victims in bulk and relies significantly on luck, there is almost always a payload, and generic phishing attacks are likely to cost you less. Let us explore these differences in detail.
1. Origins: Phishing has been around for a longer time than spear phishing
Back in the 60s and 70s, it was possible to blow a whistle into a phone receiver and trick the circuit into initiating a free call. The technique, known as phone phreaking, exploited a vulnerability in the system by impersonating a Hertz tone. Modern phishing largely works on the same principle, where the hacker impersonates somebody else to dupe the recipient. As we know it, this technique was first described in a paper delivered to the 1987 International HP Users Group, Interex.
Throughout the 90s, there were several instances of AOL phishing where an attacker would pose as a staff member and ask users for their credentials via instant messaging.
Spear phishing is a far more recent phenomenon. Attackers who broke into TD Ameritrade’s database were unable to acquire all of the information they wanted, so they launched a follow-up spear phishing attack. Since then, spear phishing has steadily grown in popularity, with more and more enterprises becoming targets of highly sophisticated and non-generic attacks.
2. Attack vector: Phishing is enacted en masse vs. more targeted spear phishing
This is probably the biggest difference between phishing and spear phishing.
The attack vector is much larger in a typical non-generic phishing attack, which could be intended for either consumers or business users. There is a commonality between the victims – for example, they could be either Microsoft users or Amazon customers – but it is a broad commonality, without any specific context on individual backgrounds.
Spear phishing has a more specific attack vector. Even if it targets a very large group of victims, they will all have some form of privileged access in common. The hacker might target all the IT admin administrators of a company, all newly hired employees who are vulnerable to social engineering, or a specific vertical like stakeholders in your accounts payable function.
3. Target psychology: Spear phishing banks on social engineering, not luck
The psychology behind spear phishing is also different from a generic phishing campaign. The hacker knows (or at least has an accurate estimation of) what would drive the intended victim to action.
A newly hired employee would feel compelled to respond to an HR instruction for collecting employee data. An accounts payable stakeholder might be motivated to quickly clear an invoice payment if instructed by a supervisor, without double-checking the details if there is a fear of missing deadlines. An IT administrator might be persuaded to enter payment details on a fraudulent page if there is a promise of saving on IT budgets.
Crafting the messaging in a manner that taps into a victim’s unique psychological drivers is called social engineering – which is a big part of carrying out a spear phishing campaign.
A generic phishing campaign, on the other hand, tried to take advantage of general human psychological drivers – such as our urge to act when presented with an urgent situation, our desire to save or gain from discounts wherever possible, and our aversion to conflict or challenging scenarios. Therefore, a generic phishing campaign typically presents the victim with a carrot or a stick, without any individualized knowledge of what motivates them.
4. Technology: Phishing relies on malicious links vs. zero payload spear phishing
The technology and the technique used in phishing and spear phishing can also be different. Phishing typically relies on a link or a file that redirects to a malicious website. Opening the file or forwarding it to someone else might automatically install some sort of malware into the victim’s machine. A malicious link could redirect to a website asking the user to share their sensitive login data or banking information under the guise of a legitimate provider.
Either way, there is almost always a “payload” attached to generic phishing attacks as there is no personalization of the message.
In spear phishing, on the other hand, payload-less or zero payload attacks are much more common. In these cases, a hacker doesn’t try to redirect the victim or get them to install anything on their system. Instead, they outright instruct the message recipient to carry out an action via an email campaign.
For example, someone posing as VP of accounts could send an email to an accounts payable professional who is on holiday to urgently clear an invoice by wiring funds to account details mentioned in the email itself. The recipient, who is on vacation and therefore unlikely to spend too much time on double-checking or cross-checking, would simply wire the amount from the company’s expense account. These are called zero payload attacks, as there is no file or hyperlink involved.
However, do keep in mind that although relatively rare, there can be zero payload generic phishing attacks and spear phishing with a payload as well.
5. Cost: A single spear-phishing attack will cost you $1.6 million on an average
In terms of the costs you incur, spear phishing differs from generic phishing. Research suggests that a single instance of spear phishing can cost you $1.6 million on averageOpens a new window . As the attacker targets individuals with ready access to funds or information, the chances of falling prey to this attack (and therefore incurring its costs) are very high.
The cost component of generic phishing is more difficult to calculate, as there are numerous victims involved. Even if each victim pays out a small sum of money, the hacker stands to gain a large cumulative sum. The difference is essentially in who bears the cost. The cost of generic phishing is borne by multiple individuals – both consumers and business users – if they act on the attacker’s message.
Spear phishing, on the other hand, typically costs the company by way of direct fund transfers, loss to business reputation, loss of customer trust (as there is a data breach of employee contact information), and disruption to business continuity as you reset your systems and passwords.