As we continue our blogs looking at the different types of phishing attacks that target businesses, we move on to attacks known as ‘spear phishing’ and ‘whaling’. Phishing is one of the most common tactics used by cybercriminals, typically involving fraudulent emails to trick individuals into revealing sensitive information or clicking on malicious links.

There is however a more targeted form of phishing which poses an even greater risk to micro-businesses and SMEs due to their personalised nature and their focus on senior management targets. This is spear phishing and whaling and understanding how these attacks work and how to defend against them is crucial for protecting your business.

What is spear phishing?

Spear phishing is a highly targeted form of phishing where the criminals focus on a specific individual or organisation. Unlike the mass phishing emails which we all regularly see, these attacks are personalised to make them look even more convincing. This method often relies on detailed research to help craft a message that looks legitimate and is relevant to the recipient.

Attackers will gather information about the target from a variety of available sources, such as social media profiles, company websites, or industry news. This information can be used to create a message that appears to come from a trusted source, such as a service provider, client, colleague or business partner. The message may reference recent business activities or use relevant language to increase its credibility.

Imagine the scenario where you are a business owner or senior manager responsible for IT and you receive the below message purporting to be from your managed service provider:

"Hi Alex, I’m attaching the updated client contract for your review. Please read and let me know if you have any questions. Thanks, Owain (from your IT support team / MSP)"

You recognise the name the email has come from as the attackers have identified this in their research. If you now opened the attached document, you would allow the malware it contains to compromise your computer or network, giving the attacker access to your sensitive business data.

What is whaling?

Then there is whaling, which is a specific type of spear phishing that targets high-profile individuals within an organisation, such as CEOs, CFOs, or business owners. These attacks aim to deceive those who are senior leaders, for example to authorise a large financial transaction or disclose critical business information.

Whaling attacks are generally even more sophisticated and carefully crafted than the standard spear phishing attempt. They rely on psychological manipulation and often play on urgency or authority to pressure the target into taking the action demanded.

An example scenario would be where you are the finance officer and receive the below message from what appears to be your CEO requesting an urgent payment. The email even appears to be from the genuine address but actually has a very subtle change.

“Hi Gwyn,

I need you to process a wire transfer immediately to secure a confidential acquisition deal. This is highly time-sensitive, and we cannot afford delays. Please find the bank details below:

Recipient Bank: XYZ Bank / Account Number: 123456789 / Amount: £250,000

Keep this strictly confidential and confirm once completed. I’m currently in a meeting and won’t be able to answer calls.

Regards,

Bethan

The attacker has pretended to be the CEO of the business and uses urgency and authority to pressure the finance officer, but also discourages validating the request, and requiring secrecy to prevent consultation with others. The payment is made to the criminal’s account.

How to protect against spear phishing and whaling

To reduce the risk of falling victim to these targeted attacks, micro-businesses and SMEs should adopt the following best practices:

• Enable multi-factor authentication (MFA): Add this highly effective extra layer of security to make it harder for attackers to gain access to your sensitive accounts.

• Educate staff and executives: Regular training helps employees and senior leaders recognise suspicious emails and understand the tactics used by attackers.

• Verify requests for sensitive information or payments: Always verify unusual requests, especially those involving financial transactions by contacting the requester directly using trusted contact details.

• Use anti-phishing solutions: Deploy email filtering tools and security software to help detect and block phishing attempts.

• Implement strong password policies: Encourage the use of unique, complex passwords and do not use them across multiple accounts.

• Create an incident response plan: Have a clear process in place for reporting and responding to suspected phishing attacks.

  
  

Building a culture of awareness and resilience

It’s becoming more and more difficult to spot these targeted phishing emails, especially with artificial intelligence becoming more accessible for the criminals to use as a tool to craft sophisticated attacks.

Cyber security is not just about technology—it’s about creating a culture of awareness and vigilance. For micro-businesses and SMEs, this means developing an environment where everyone feels empowered to question suspicious communications and take proactive steps to protect the organisation.

Spear phishing and whaling are serious threats, but with the right precautions, businesses can significantly reduce their risk. By staying informed and following best practices, you can protect your business from becoming the next target.

If you haven’t already done so, join our free membership programme for tools, tips, resources and national guidance on how to keep your business safer from cyber threats.