Commonwealth logo, ACCC Logo and Scamwatch banner

SCAMwatch homePersonalised scams‘Whaling’ and ‘spear phishing’ scams

‘Whaling’ and ‘spear phishing’ scams

What are whaling and spear phishing scams?

Whaling or spear phishing occurs when a scammer targets an organisation and sends personalised emails to either a group of employees or a specific executive officer or senior manager. Emails refer to fake but critical business matters, such as a legal subpoenas or customer complaints.

Emails may appear to have been sent from a trustworthy source such as an employer or staff member within the organisation. Email addresses may be similar (but not identical) to an address you are familiar with.

The scammer’s aim is to convince you that the email requires urgent action by following a link to a fake website or opening a malware-infected attachment. When you visit the fake, but convincing website, it will ask you to do one or more of the following:
• enter confidential company information and passwords
• provide financial details or enter them when making a payment for a fake software download.

If financial details are provided, the scammer will use them to commit fraud.

Alternatively, if you open an email attachment, it will download malware onto your computer. Malware can record your key strokes, passwords and other company information, allowing the scammer to access it when you go online.

Warning signs

  • You receive an email out of the blue on an urgent company related matter which you were previously unaware of.
  • The email comes from an email address you either do not recognise or which is similar (but not identical) to an address you are familiar with.
  • The email contains either an attachment or a link to a website where you are asked to enter personal details or to pay to download software so as to view an official document such as a subpoena.
  • Remember - Legitimate websites which ask you to enter sensitive personal information are commonly encrypted to protect your details. This is usually identified by the use of “https:” rather than “http:” at the start of the internet address or a closed padlock or unbroken key icon at the bottom right corner of your browser window.  If these are missing or there is an open padlock or broken key icon present, the website is not secure and could be a scam site.
  • The scam website will often look very official and convincing.

Protect yourself from whaling and spear phishing scams

  • Consider what personal information you post on social/business networking services. Scammers use publicly-available information to identify potential whaling/spear phishing victims.
  • Seek independent legal advice if you receive an email regarding a legal subpoena or customer complaint.
  • You can verify a website’s authenticity by looking for “https:” at the beginning of the internet address, the locked padlock icon or the unbroken key icon.
  • Check if a website has a digital certificate. If it has one it will generally appear as a padlock icon alongside the web address. You can click on the icon to ensure that the certificate has been verified, is official and hasn’t expired.  
  • Install and regularly update antivirus, antispyware and firewall software.
  • Never click on links provided in emails or open attachments from strangers. An email with an attachment that arrives unexpectedly could contain malware, even if it’s not whaling/spear phishing malware.
  • Never provide your personal, business, credit card or account details online unless you have verified the website is authentic. If you think you have provided account details to a scammer, contact your bank or financial institution immediately. 
  • Ensure your businesses postal mail is delivered to a secure/locked mailbox.
  • Shred all business documents before you dispose of them.

As well as following these specific tips, find out how to protect yourself from all sorts of other scams.

Report scams

If you think you’ve spotted a scam, report a scam to SCAMwatch or contact the ACCC on 1300 795 995. You should also spread the word to your friends and family to protect them.

More information

Check out our Requests for your account information ('phishing' scams) and ‘Pharming’ scams pages which deal with a similar scam approach.

Printer friendly
Quick links

© Commonwealth of Australia 2015