One of the best parts of IT security is the often silly-sounding terms used commonly.

Phishing, in one form or another has been around forever. And what else would targeted phishing be called other than spear phishing?

Here’s a new one – whaling.

If you think about it logically, whaling means exactly what you would think it would mean, at least in comparison to phishing. It’s Captain Ahab the Scammer, out there on the wild seas looking for the biggest of fishes.

These scammers are going after the high rollers, hoping they can find one naive user to hand over the mother lode of passwords and usernames.

And as the name would suggest, whaling isn’t for everyone.

Gunter Ollman has a better description than I can offer at X-Force Labs’ blog:

“Once armed with a list of addresses specific to their quarry, the phishers send email that appear as though it may have come from the employer of someone who would normally send an email message to everyone within the organizational group (e.g. head of marketing and sales, the IT support team, the owner of the message board, etc.) in reality, the message sender information will have been faked (i.e. spoofed).

Unlike normal phishing scams whose objective is to steal an individual’s online banking credentials, the spear phishers is most often seeking to gain access to the entire network of an organization. That said, it is not unheard of spear phishers targeting the users of a specific piece of software (e.g. members of a specific ‘clan’ within World of Warcraft) and stealing their login credentials.”
- Gunter Ollman, Frequency X, “Spear phishing and whaling”