Spear phishing, whaling and the like: attacks are becoming more sophisticated

Jan Tissler

The days when fake login pages and emails were easy to spot are long gone. "Phishing" attacks are becoming increasingly sophisticated. Some even target just one person. In this article, we explain how they work and what can be done to counter them.

In phishing, criminals "fish" for valuable data such as passwords or credit card information. This can be an initial gateway for a larger attack.

For example, victims are sent an email that appears to come from a well-known organization such as their mobile phone provider. A link directs them to a website because certain details supposedly need to be confirmed urgently. In reality, however, the site is operated by criminals who are gradually collecting their virtual prey in this way.

Another goal may be to infiltrate malware that delivers the desired information. This malware can disguise itself as a harmless email attachment or as a download from cloud storage.

How phishing attacks trick their victims

In the early days, such emails and websites were still quite easy to recognize - at least for trained eyes. Nowadays, however, they are becoming more and more sophisticated and even come with confidence-inspiring details such as the padlock in the address bar.

Some methods are difficult to recognize, even for experts. For example, JavaScript can be used to fake a different URL in the browser bar. Or a vulnerability in the original page is exploited: In this case, the victims actually end up on a legitimate page, but it passes on their input to the attackers.

What's more, we are no longer talking about emails and websites alone. Attacks are also attempted via text messages or phone calls with a fake callerID ("call ID spoofing"). Today, even voices can be deceptively imitated using suitable tools.

In general, phishing attacks regularly rely on certain psychological tricks:

  • Arouse trust via known senders (persons, organizations). The sender address of an email is easy to forge. This is true even if modern security measures are used, as was demonstrated at the "Black Hat" security conference. Details and information from other sources are also sometimes interspersed, for example from social networks or other hacks and data leaks.
  • Exerting pressure about supposedly serious consequences if you don't react quickly. If the email then appears to come from a superior, the stress center quickly overrules common sense.
  • Trigger curiosity by promising explosive information in an attachment.
  • Taking advantage of helpfulness when a customer or colleague supposedly needs support.

"Spear phishing": personalized attacks

Last but not least, phishing has become more specialized. In spear phishing, the attack is targeted at a specific company or even an individual person. The term "whaling" is used when a high-ranking manager is targeted. And as experiments suggest, they may even be more susceptible to such attacks. At the same time, these attacks are difficult to detect because they are often prepared in detail over a long period of time.

There are now also services for implementing spear phishing on a large scale. For example, automated or semi-automated information is collected on the web in order to personalize the messages for the respective person.

The consequences of successful attacks can be very different, as these three examples show:

  • Phone calls from alleged Twitter colleagues led employees to hand over access data for internal tools in July 2020. Several high-ranking profiles were subsequently taken over and used for a Bitcoin scam.
  • The hacker group "Evilnum" exploits the strict rules surrounding the verification of new customers in the KYC process to plant malware on fintechs. The submitted documents only contain parts of the malware so that it cannot be detected by security tools. If the malware is successfully installed, it can steal login data, among other things.
  • In 2016, employees of Leoni AG from Nuremberg were tricked into diverting funds to another account using forged documents and identities as well as "electronic communication channels". Damage: 40 million euros.


One of the most important protective measures against such attacks: Creating awareness. Studies have shown that such manipulation is significantly less successful if the other party is aware of the scams.

It is recommended that knowledge is not simply imparted. Rather, everyone in the organization should practice recognizing such attack patterns, e.g. through a simulation.

Clear processes are also important: who is allowed to disclose what information to whom and when? Because of course you want to help a customer or colleague in need. But it must still be ensured that the person making the request is actually authorized to do so. A second person may always be required for certain actions. Or confirmation must be obtained via another channel.

And, of course, the organization needs solid basic security. This includes two-factor authentication, for example: in addition to a password, you also need access to your smartphone to log in. Even small things can help, such as clearly marking external emails as such.