The Difference Between Phishing, Spear Phishing and Social Engineering

January 21, 2020

There are many differences between phishing, spear phishing and social engineering attacks, but they are often used interchangeably and incorrectly. That creates some confusion when people are describing attacks and planning for defense. Understanding these attack types is important.

Download: Spear Phishing White Paper

In our review of the 5 Agonies of Cyber Attacks, we pointed out that 60% of companies reported being victims of social engineering attacks in the previous year and 61% saw spear phishing as one of the most significant threats faced today. Other reports show that 91% of all cyber attacks start with a phishing or spear phishing campaign and Proofpoint found that 99.7% of documents used in attachment-based campaigns relied on social engineering and macros.

Got it? Alright. Team Graphus has put together some clear definitions of phishing, spear phishing and social engineering. We have also included some examples and threw in whaling as a bonus term. A common understanding of these terms can help IT organizations and business executives communicate more clearly and better coordinate for defense against the most common forms of successful cyber attacks.

What is Phishing?


Traditional phishing scams cast a wide net in hopes of catching a few unwary victims. Typically, the target will receive an email that looks legitimate and warns the person that they need to login to a website to perform a certain action. The email will contain a link to what looks like a legitimate website and the victim will be asked to enter their account details. Once entered, the cyber criminal will use that information to steal, commit fraud or obtain even more valuable information. The attack strategy is to contact a large volume of potential victims in hopes of identifying a handful that will click-through and fall for the ruse.


What are some Phishing examples?

Phishing attacks generally involve a malicious attachment or a malicious link to a compromised website. Ars Technica reported on several phishing-initiated ransomware attacks in 2016 against hospitals.

“March has not been a good month for hospital IT. Last week, staff at Methodist Hospital in Henderson, Kentucky paid a ransom to restore the hospital’s systems, reportedly of $17,000—though sources familiar with the episode say the hospital paid much more. And in California, two hospitals operated by Prime Healthcare Management, Inc. were forced to shut down systems. The Prime ransomware attack also caused disruptions of service at several other hospitals and at affiliate care providers as shared systems were taken offline…The Methodist Hospital and Prime Healthcare ransomware attacks came in via “phishing” e-mails.”

What is Spear Phishing?


By contrast, spear phishing is about small numbers of contacts that deliver a high conversion rate. Spear phishers obtain private information by researching the background of individuals and companies on social media, corporate websites and other publicly available information. Cyber criminals use that targeted information to convince the victim to perform a task or share information.

What are some examples of Spear Phishing?

A recent article from the Berks County, Pennsylvania local news site provides a good example.

“Weidenhammer has been victim of a spear phishing event that has resulted in the transfer of 100 percent of our 2016 W-2’s to an unknown party,” the founder of Weidenhammer Systems Corporation informed employees in 2017. “You should assume your Social Security number, your home address, your 2016 earnings and all of the tax withholding that would appear on a W-2 has been compromised.”

“The perpetrators have already begun to use the information to file fraudulent federal and state income tax returns for 2016, apply for home equity loans and open/defraud credit card accounts,” John Weidenhammer said.

This example illustrates how quickly a spear phishing scam can defraud company employees. However, the more typical danger is directly to the company finances or intellectual property. The Infosec Institute recorded details of another spear phishing attack on Ubiquiti Networks in 2015.

“The potential destructiveness of a spear phishing attack for a business is shown clearly in the case of Ubiquiti Networks Inc., an American network technology company for service providers and enterprises. In June of 2015, the company lost $46.7 Million because of a spear phishing e-mail. A report by the U.S. Securities and Exchange Commission shows that the attack was carried through ‘employee impersonation and fraudulent requests from an outside entity targeting the Company’s finance department.’”

What is Whaling?


This is a newer term and is simply a spear phishing attack targeting senior executives, the whales. Whaling may resemble spear phishing or social engineering but is distinguished by who in the organization it goes after. Executives may need some extra training to spot these types of attacks and they certainly require some added protection from technology solutions that can prevent incidents before they occur. If you are protected from spear phishing, you can assume you are also protected from Whaling.

What is an example of Whaling?

A whaling example from 2016 involves the high profile social media networking company Snap, known for its popular Snapchat app. Digital Guardian offered this summary of the attack.

In early 2016, the social media app Snapchat fell victim to a whaling attack when a high-ranking employee was emailed by a cybercriminal impersonating the CEO and was fooled into revealing employee payroll information.

A 2015 attack targeted Mattel, the world-famous manufacturer of Barbie and other toys. CBS News reported:

“The email seemed unremarkable: a routine request by Mattel’s chief executive for a new vendor payment to China…The finance executive who got the note was naturally eager to please her new boss. She double-checked protocol. Fund transfers required approval from two high-ranking managers. She qualified and so did the CEO…Satisfied, the executive wired over $3 million to the Bank of Wenzhou, in China. Hours later, she mentioned the payment to Sinclair. But he hadn’t made any such request.”

What is Social Engineering?


While phishing schemes typically rely on email, attachments and webpages to capture private data, social engineering might use these, the phone or any number of different methods. Social engineering involves psychologically manipulating people into divulging information or taking inappropriate actions. Very often victims have no idea they have done something wrong until the fraud is later exposed. Like spear phishing, social engineering attacks are highly targeted on a small number of potential victims.

What are some examples of Social Engineering Attacks?

A USA Today article outlines a social engineering attack technique used in 2016 in a recent article.

“In one of the more recent incarnations of this scam, the criminals posing as lawyers contact targeted company executives claiming that they are handling important, confidential or extremely time-sensitive matters and use psychological pressure to trick the company executive into wiring the funds to the scammers.”

Another example comes courtesy of Smartfile. It outlines an attack on the FBI using a simple social engineering technique initiated through a telephone call.

“’So, I called [the helpdesk] up, told them I was new and I didn’t understand how to get past [the portal],’ the hacker told Motherboard. ‘They asked if I had a token code, I said no, they said that’s fine—just use our one. I clicked on it and I had full access to the computer.’

“Soon after that, 20,000 FBI and 9,000 Department of Homeland Security records were released to the public. The hacker accessed employees’ names and even credit card information. Using the IBM 2015 cost per record breach standard ($170 per record based on malicious activity), that’s nearly $5 million dollars lost during a 2-minute phone conversation. It was probably higher, given the amount of credit card data and the as-yet-unknown implications of the national security data that was accessed.”

What is Common Across these Attacks?

All of these techniques can lead to account credentials compromise, use of malicious links or malware as part of the attacks. Many information security breaches involve multiple tools techniques and procedures (TTP) as the industry saying goes. But, most of them start with a simple email. Phishing, spear phishing, whaling and social engineering are typically used as points of entry to initiate an attack or as points of escalation to more easily access valuable information or execute more damaging actions.

They also all involve breach techniques that your best intrusion prevention and endpoint detection systems cannot deter. Your employees are letting these people in through your front door. Sometimes, your employees are unwittingly doing the stealing on the criminal’s behalf.

Graphus Helps You Measure Trust and Prevent Compromise

Graphus has figured out a way to stop nearly all of these attacks by identifying known markers of deception AND building a graph of trusted relationships between your employees and the outside world. This goes well beyond email security provided by Google or anti-phishing training. Both of these solutions help, but let far too many attacks go through. An ISMG report suggests that 65% of all social engineering attacks are successfully bypassing these traditional defenses. Using graph theory along with machine learning and big data algorithms enables Graphus to eliminate spear phishing and social engineering attacks.

G Suite business users can try Graphus for free for 30 days. Click the button below to get started.