For threat actors, phishing embodies the holy trinity of goals: easy, effective and profitable. It’s no wonder that the 2022 X-Force Threat Intelligence Index reports that phishing was the top method used by attackers to breach an organization. Of all the attacks that X-Force remediated in 2021, attackers used phishing in 41% of them.

Because phishing is so successful, it has taken on a life of its own with numerous variants. Take a look at three trending types and how to prevent them.

What Is Spear Phishing?

Spear phishing attacks are more targeted than general phishing. They specifically aim to reel in higher-value companies and victims. The fishing analogy here would be spending more time going after bigger fish. For an attacker, spear phishing is often more profitable than the ‘spray and pray’ method of sending a general phishing attack to thousands of companies.

One of the main reasons why spear phishing is so successful is because adversaries will spend much more time researching their victims. The more they know about their specific targets, the better they can be at tailoring their message. Therefore, the chance of tricking the victim increases. For example, an attacker may spend time on the company’s social media accounts. Perhaps the company hosted a particular webinar, and the attacker could reference information about the topic in their phishing email.

It’s important to note that today, most spear phishing attacks can be launched quickly and easily. Typically, they take only a few clicks of the mouse. With pre-made phishing kits for sale on the dark web, the barrier to entry for adversaries is getting lower each year.

What Is Whaling in Cybersecurity?

Whaling is very similar to a spear phishing attack but targets the C-suite and top executives. While spear phishing may target lower-level employees of a high-value organization, whaling focuses on high-value employees. After all, if an attacker can gain account credentials from the CEO or chief financial officer, their bounty will be larger than the username and password information of an employee further down the org chart.

Like spear phishing, whaling also requires attackers to research their victims, perhaps even more so. Typically, whaling attacks begin with social engineering techniques via phone calls or emails.

Armed with that research, the attacker will craft their phishing message to lure the victim into believing the email is honest. One common form of whaling to look out for is the Business Email Compromise (BEC), which aims to fool the victim into thinking it comes from a C-suite executive’s email account. Attackers often edit the account name and address to look similar enough to fool users.

For example, a BEC scam in 2020 was successful when attackers changed one letter of the company CEO’s email address. It was enough to fool the victim into transferring one million into the fraudster’s account to “address COVID precautions”.

What Is Barrel Phishing?

Barrel phishing, also known as double-barrel phishing, aims to fool victims with two separate emails. The first email is typically safe; it does not contain malware or a phony link. Attackers use it as the bait to establish trust. Once some sort of trust has been established, the attacker sends another email as a follow-up, which will include a malicious attachment or link.

These pressure tactics can lead to users giving their information to attackers, putting their data and company at risk.

For example, the first message will appear innocent, like “Hey there, quick question for you.” The second email could say something like, “Hey again. Sending this file your way, can you please check for errors? Need ASAP.”

The attack succeeds as soon as the victim clicks on the attachment or clicks on a link sending them to a phony website asking for login details.

How to Protect Your Organization From Phishing Attacks

Approach defending against phishing attacks with a three-pronged strategy, consisting of technology, awareness and vigilance.


When it comes to phishing awareness, the right tech can produce great results. For example, KnowBe4 or Hoxhunt security and phishing awareness programs can put employees to the test with fake target phishing emails. They conduct tests randomly and often adjust the email’s content, context and complexity.

Another way to defend against phishing attacks is multi-factor authentication (MFA). While MFA is not foolproof, requiring phishers to jump through an extra hoop to authenticate could go a long way in preventing an attack. Using spam controls, URL blocking and ensuring personal devices are patched can also be helpful.


Technology aside, champion phishing awareness from a human perspective. Brief but frequent training sessions can go a long way in raising awareness. If training is engaging and short, employees won’t see it as a burden. Training should adapt to match the threat landscape.

But perhaps most importantly, vigilance is required from all employees, especially C-suite executives. It’s only human nature to trust an email or phone call that may seem honest. But if everyone is skeptical of requests by default, the whole group benefits.

Vigilance and Culture

If you receive a request that may seem honest, but you are not entirely sure, why not follow up with a phone call or in-person visit? Emailing the requester to confirm won’t help, as replying to an attacker will only signal that they have you on the hook.

If the request contains a link, a good practice would be to type in the website address in the browser by hand to confirm it’s real.

Culture is critical here. Employees should feel completely comfortable reporting suspicious emails and requests. When employees feel empowered by security awareness training, they’re more likely to make the right decisions.

Here’s the big takeaway: C-suite executives need to participate, too. Senior management should be equally active in awareness training. After all, they are the biggest targets for the phishing attacks we’ve discussed.

More from Risk Management

How Do You Plan to Celebrate National Computer Security Day?

In October 2022, the world marked the 19th Cybersecurity Awareness Month. October might be over, but employers can still talk about awareness of digital threats. We all have another chance before then: National Computer Security Day. The History of National Computer Security Day The origins of National Computer Security Day trace back to 1988 and the Washington, D.C. chapter of the Association for Computing Machinery’s Special Interest Group on Security, Audit and Control. As noted by National Today, those in…

Worms of Wisdom: How WannaCry Shapes Cybersecurity Today

WannaCry wasn't a particularly complex or innovative ransomware attack. What made it unique, however, was its rapid spread. Using the EternalBlue exploit, malware could quickly move from device to device, leveraging a flaw in the Microsoft Windows Server Message Block (SMB) protocol. As a result, when the WannaCry "ransomworm" hit networks in 2017, it expanded to wreak havoc on high-profile systems worldwide. While the discovery of a "kill switch" in the code blunted the spread of the attack and newly…

Why Operational Technology Security Cannot Be Avoided

Operational technology (OT) includes any hardware and software that directly monitors and controls industrial equipment and all its assets, processes and events to detect or initiate a change. Yet despite occupying a critical role in a large number of essential industries, OT security is also uniquely vulnerable to attack. From power grids to nuclear plants, attacks on OT systems have caused devastating work interruptions and physical damage in industries across the globe. In fact, cyberattacks with OT targets have substantially…

Resilient Companies Have a Disaster Recovery Plan

Historically, disaster recovery (DR) planning focused on protection against unlikely events such as fires, floods and natural disasters. Some companies mistakenly view DR as an insurance policy for which the likelihood of a claim is low. With the current financial and economic pressures, cutting or underfunding DR planning is a tempting prospect for many organizations. That impulse could be costly. Unfortunately, many companies have adopted newer technology delivery models without DR in mind, such as Cloud Infrastructure-as-a-Service (IaaS), Software-as-a-Service (SaaS)…