Phishing, Spoofing and Whaling: Tips for Keeping Your Company Safe

Phishing, Spoofing and Whaling: Tips for Keeping Your Company Safe

Cyberattacks are among the biggest threats to businesses. Arm your employees with policies and knowledge.

Cybersecurity is quickly becoming the primary boardroom agenda item within modern digital organizations. Senior directors and CEOs are quickly realizing how serious cybersecurity failures can become and the risk their organizations face in the event of a security breach. Businesses are prime targets for ‘black hat’ hacking groups as the financial rewards from a successful breach can be appealing and it often requires minimal effort to succeed.

Phishing, spoofing, and whaling attempts are daily occurrences for most businesses. It is of significant importance to ensure your business and employees are prepared to face these cybersecurity challenges in the ever-changing digital workplace.

Protect your company's valuable information with the free Data Theft Prevention Checklist.

So, what exactly are phishing, spoofing, and whaling?

Phishing occurs when a third party attempts to impersonate a genuine source to send or infiltrate fraudulent communications. Typical examples include impersonating banks, insurance brokers and cloud storage providers. Phishing techniques are commonly disguised within genuine-looking emails and contain fraudulent URL links to fake websites. The aim is to get someone to click on the link and divulge some form of personal information.

Spoofing happens when a third party maliciously impersonates a genuine IT system or device with the intention of launching an attack against a computer network to steal data or spread malware. Spoofing can apply to email communications, phone calls or websites and is used to gain control of vulnerable systems by installing some form of malware. Common spoofing scams include attacks that fake the target’s IP, DNS or identity information in an attempt to impersonate data as a “genuine” source. An unexpected user then divulges personal information thinking they are using a genuine service.

Whaling is a derivative of phishing; however, the target is nearly always a senior executive, CEO, company director or high-profile employee. The main aim is to steal sensitive information usually about the target or target company. The idea being that CEOs will be too busy to securely vet all their emails and might divulge sensitive information inadvertently.

Unfortunately, despite the best efforts of businesses throughout the globe, these methods of cyber attacks are prevalent and many individuals and organizations fall for phishing, spoofing and whaling schemes on a daily basis.

Oops, too late? Download the free cheat sheet on 7 Steps to Address a Data Breach.

Tips for Staying Safe

These threats are not going to stop anytime soon; businesses must take preventative measures to secure their IT infrastructure. There are several tips for cyber risk management processes that can be followed to empower your organization to develop robust and resilient cybersecurity foundations.

Risk and Remediation

One of the first tasks to complete is a top-to-bottom risk assessment on all business operations, systems, protocols and processes used throughout the organization. This initial consultation can identify current flaws and weaknesses and can help to determine what security objectives are achievable.

This process might take several weeks, but after completion, a remediation roadmap can be created to prioritize the most critical security concerns uncovered, and a plan and schedule can be designed to understand how to resolve each problem.

Patching and Updates

One of the first actions to complete is to ensure all computer infrastructure is patched and up-to-date with the very latest security updates. All laptops, PCs and business servers must be patched and running modern (vendor supported) operating systems with antivirus and malware protection software installed.

Many organizations have these types of measures already in place; however, it is not surprising to discover a significant quantity of servers that are months or years out of date. Additionally, the number of servers that have failed to download the latest security updates for antivirus is usually high.

These basic measures create a barrier to protect users and computers against malware, but most importantly, it ensures the operating system is secured against the latest vulnerabilities, which should also prevent ransomware and known virus signatures.

Technical Safeguards

There are a number of technical solutions to improve an organization’s security. Devices such as email content screening hardware/software can intercept and quarantine known incoming scam emails for added security. This technology uses machine learning and whitelisting databases to offer the very latest level of email security.

Software plugins such as PhishAlarm work with email clients like Outlook and allow users to instantly report suspected phishing and whaling attempts directly to an internal security team. Software appliances can scan the embedded URL links often found in compromised emails and automatically block outgoing connection attempts to fake sites.

Other hardware safeguards such as an Intrusion Prevention System (IPS) can deploy probes that monitor and manage traffic on a business network. The IPS scans for suspicious activity such as unexpected egress network traffic to an unknown URL. If a threat is detected, the system will alert and a decision can be made to isolate parts of the network to prevent an outbreak.

Regular external vulnerability testing and annual penetration testing procedures should be put in place to look for weaknesses. These tests create a “real world” scenario that enables organizations to test new security protections and ensure internal audit requirements are attainable.


Arguably, the key defense against malware from phishing, spoofing, and whaling is the continued education and training of employees. Security concepts and knowledge of the latest threat trends should be offered in compulsory training initiated by the organization. Security is a business-wide agenda that requires the buy-in of all employees.

Communicating to staff what ransomware, malware, viruses, phishing, and spoofing are can enlighten employees to the dangers of these threats, which in turn can help enforce security consciousness throughout the business. Mandatory security training should be offered to all new employees to help create a secure workplace of the future.

Threat advisory bulletins and information security awareness training are essential as well as phishing/social engineering tests in a real-world scenario that makes sure employees are adhering to training best practices. These tests are not designed to catch individuals out, but instead to learn the weak points within the business that are high risk, and then develop future strategies that add extra layers of protection.