Businessman looking at computer

What are phishing, spear phishing and whaling and how can you protect your company?

If you heard the title of this article read aloud, you’d likely think it was about a completely different topic. And that’s the thing about talking about phishing attacks in all their many forms. They sound quaint. That’s probably why so many articles start with cheesy puns.

Do you know what’s dangerous about that?

Phishing is anything but quaint. It’s illegal activity designed to trick your employees into granting criminals access to your data so they can rob you blind. It’s not cute. It’s insidious.

Let’s start there.

Cybercriminals are a proactive bunch

On TV and in the movies, cybercriminals are far too often depicted as kids dressed in slouchy clothes downing junk food and effortlessly forcing their way into private networks just to see if they can. A lot of online publications like to call them hackers, which hardly sounds intimidating.

We call them criminals, and for good reason. That’s what they are.

And they’re not just criminals. They’re innovative, proactive criminals who employ constantly evolving, creative strategies to get away with various kinds of theft. That’s the essence of all cybercrime, and it’s certainly true of phishing.

Even if you’ve read other articles about phishing, we’d like to ask you to give some serious attention to what we have to say. This is a serious topic. If you’re not prepared to deal with phishing attacks, your network could be in very real danger.

The different kinds of phishing

Phishing comes in a few forms, and it’s important to cover all of them so you’re ready for the different tactics cybercriminals use. But the core tactic is the same: tricking your employees into thinking something unsafe is safe.


Phishing attacks were among the first email-based attacks to surface online. Remember those emails from Nigerian princes promising huge amounts of money if you help them with an online transfer? Those cyberattacks were based on a very similar kind of deception.

Here’s how a phishing attack works. As CSO explains, “The goal is to trick the email recipient into believing that the message is something they want or need—a request from their bank, for instance, or a note from someone in their company—and to click a link or download an attachment.”

That’s it.

Given how long we’ve known about them, you’d think we’d be wise to this particular trick by now. But as Diana Kelley, Microsoft’s Cybersecurity Field CTO, observes, “Phishing is still one of the biggest factors for attacking companies.”

Spear phishing

Spear phishing is the same thing, but with an added wrinkle. Your basic phishing attack is a shot in the dark. You might get an email from a bank you don’t even do business with. But spear phishing attacks are personal.

When spear phishing, cybercriminals will research their targets, “creating a message often designed to impersonate a trusted colleague or business to steal sensitive information, which is then used to commit crimes like fraud and identity theft.”

In other words, spear phishing cybercriminals know something about you already, and they use that information to gain your trust. After all, would most people ignore an urgent message from their bank or credit card company?


Whaling is an even more select form of spear phishing—one that specifically targets senior-level executives. And, of course, these are sophisticated attacks. We’re not talking about some random email in your CEO’s inbox. We’re talking about an email that looks legitimate right down to the sender’s address.

Business leaders are busy. All cybercriminals need is to sneak one successful whaling email past, and they’re in.

How to protect your company

Everything to this point is interesting, but none of it is helpful. What you really want to know is how to protect your company, so let’s look at a few key things you can do.

We have three tips for you.

Educate your employees

The single most powerful thing you can do to protect yourself from all three kinds of phishing attacks is to educate your employees. When they understand what to look for and the potential risk to the company, they’ll be far more likely to keep their guard up.

And this includes top leadership. Don’t think for a second that you, as the business leader, or any of the other execs are exempt. You’re not. A successful whaling attack can be catastrophic. You need cybersecurity training, too.

Test your employees

Phishing tests will give you an idea of how successful your training has been. A phishing test is a fake phishing campaign you (or your security partner) launch(es) against your own company to see who takes the bait and who doesn’t.

Phishing tests aren’t typically done with the intention of disciplining employees. Rather, these are learning experiences. When you know what slipped past your defenses, you’ll know what areas to train on next.

Find a good cybersecurity partner

We offer this last piece of advice knowing many of you won’t take it. (That’s okay. That’s why it’s not the only piece of advice!)

If you’re really serious about your cybersecurity protection, you need help. While there are things you can do to boost security on your own, nothing compares to partnering with a pro. A cybersecurity expert can help with everything from filters and automated tools designed to ferret out dangerous emails to employee training sessions and phishing tests.

Just make sure you find someone you feel comfortable with. Someone who truly listens to you. Someone you trust.

And whatever level of cybersecurity you opt for, make sure you do something. These threats aren’t going to stop, and the stakes are high.

Keep reading: How are you protecting your personal data?