For threat actors, phishing embodies the holy trinity of goals: easy, effective and profitable. It’s no wonder that the 2022 X-Force Threat Intelligence Index reports that phishing was the top method used by attackers to breach an organization. Of all the attacks that X-Force remediated in 2021, attackers used phishing in 41% of them.

Because phishing is so successful, it has taken on a life of its own with numerous variants. Take a look at three trending types and how to prevent them.

What Is Spear Phishing?

Spear phishing attacks are more targeted than general phishing. They specifically aim to reel in higher-value companies and victims. The fishing analogy here would be spending more time going after bigger fish. For an attacker, spear phishing is often more profitable than the ‘spray and pray’ method of sending a general phishing attack to thousands of companies.

One of the main reasons why spear phishing is so successful is because adversaries will spend much more time researching their victims. The more they know about their specific targets, the better they can be at tailoring their message. Therefore, the chance of tricking the victim increases. For example, an attacker may spend time on the company’s social media accounts. Perhaps the company hosted a particular webinar, and the attacker could reference information about the topic in their phishing email.

It’s important to note that today, most spear phishing attacks can be launched quickly and easily. Typically, they take only a few clicks of the mouse. With pre-made phishing kits for sale on the dark web, the barrier to entry for adversaries is getting lower each year.

What Is Whaling in Cybersecurity?

Whaling is very similar to a spear phishing attack but targets the C-suite and top executives. While spear phishing may target lower-level employees of a high-value organization, whaling focuses on high-value employees. After all, if an attacker can gain account credentials from the CEO or chief financial officer, their bounty will be larger than the username and password information of an employee further down the org chart.

Like spear phishing, whaling also requires attackers to research their victims, perhaps even more so. Typically, whaling attacks begin with social engineering techniques via phone calls or emails.

Armed with that research, the attacker will craft their phishing message to lure the victim into believing the email is honest. One common form of whaling to look out for is the Business Email Compromise (BEC), which aims to fool the victim into thinking it comes from a C-suite executive’s email account. Attackers often edit the account name and address to look similar enough to fool users.

For example, a BEC scam in 2020 was successful when attackers changed one letter of the company CEO’s email address. It was enough to fool the victim into transferring one million into the fraudster’s account to “address COVID precautions”.

What Is Barrel Phishing?

Barrel phishing, also known as double-barrel phishing, aims to fool victims with two separate emails. The first email is typically safe; it does not contain malware or a phony link. Attackers use it as the bait to establish trust. Once some sort of trust has been established, the attacker sends another email as a follow-up, which will include a malicious attachment or link.

These pressure tactics can lead to users giving their information to attackers, putting their data and company at risk.

For example, the first message will appear innocent, like “Hey there, quick question for you.” The second email could say something like, “Hey again. Sending this file your way, can you please check for errors? Need ASAP.”

The attack succeeds as soon as the victim clicks on the attachment or clicks on a link sending them to a phony website asking for login details.

How to Protect Your Organization From Phishing Attacks

Approach defending against phishing attacks with a three-pronged strategy, consisting of technology, awareness and vigilance.


When it comes to phishing awareness, the right tech can produce great results. For example, KnowBe4 or Hoxhunt security and phishing awareness programs can put employees to the test with fake target phishing emails. They conduct tests randomly and often adjust the email’s content, context and complexity.

Another way to defend against phishing attacks is multi-factor authentication (MFA). While MFA is not foolproof, requiring phishers to jump through an extra hoop to authenticate could go a long way in preventing an attack. Using spam controls, URL blocking and ensuring personal devices are patched can also be helpful.


Technology aside, champion phishing awareness from a human perspective. Brief but frequent training sessions can go a long way in raising awareness. If training is engaging and short, employees won’t see it as a burden. Training should adapt to match the threat landscape.

But perhaps most importantly, vigilance is required from all employees, especially C-suite executives. It’s only human nature to trust an email or phone call that may seem honest. But if everyone is skeptical of requests by default, the whole group benefits.

Vigilance and Culture

If you receive a request that may seem honest, but you are not entirely sure, why not follow up with a phone call or in-person visit? Emailing the requester to confirm won’t help, as replying to an attacker will only signal that they have you on the hook.

If the request contains a link, a good practice would be to type in the website address in the browser by hand to confirm it’s real.

Culture is critical here. Employees should feel completely comfortable reporting suspicious emails and requests. When employees feel empowered by security awareness training, they’re more likely to make the right decisions.

Here’s the big takeaway: C-suite executives need to participate, too. Senior management should be equally active in awareness training. After all, they are the biggest targets for the phishing attacks we’ve discussed.

More from Risk Management

OneNote, Many Problems? The New Phishing Framework

There are plenty of phish in the digital sea, and attackers are constantly looking for new bait that helps them bypass security perimeters and land in user inboxes.Their newest hook? OneNote documents. First noticed in December 2022, this phishing framework has seen success in fooling multiple antivirus (AV) tools by using .one file extensions, and January 2023 saw an attack uptick as compromises continued.While this novel notes approach will eventually be phased out as phishing defenses catch up, current conditions…

The Role of Finance Departments in Cybersecurity

Consumers are becoming more aware of the data companies collect about them, and place high importance on data security and privacy. Though consumers aren’t aware of every data breach, they are justifiably concerned about what happens to the data companies collect. A recent study of consumer views on data privacy and security revealed consumers are more careful about sharing data. The majority of respondents (87%) say they wouldn’t do business with companies that appear to have weak security. Study participants also…

What Does a Network Security Engineer Do?

Cybersecurity is complex. The digital transformation, remote work and the ever-evolving threat landscape require different tools and different skill sets. Systems must be in place to protect endpoints, identities and a borderless network perimeter. The job role responsible for handling this complex security infrastructure is the network security engineer. In a nutshell, the network security engineer is the person who is responsible for the design and implementation of the organization’s security system, ensuring there are no gaps or vulnerabilities for…

The Importance of Modern-Day Data Security Platforms

Data is the backbone of businesses and companies everywhere. Data can range from intellectual property to critical business plans to personal health information or even money itself. At the end of the day, businesses are looking to grow revenue, innovate, and operationalize but to do that, they must ensure that they leverage their data first because of how important and valuable it is to their organization. No matter the industry, the need to protect sensitive and personal data should be…