Phishing, Spoofing, and Whaling: Tips for Staying Safe

Table of Contents

Phishing is a term that refers to attempts to obtain identifiable information of an individual by cybercriminals in an attempt to impersonate someone else via social engineering.

The word is a neologism created from the word fishing, because of the similarity between the two techniques – both use bait to catch a victim. This is a very serious cyber threat. According to estimations from 2017, phishing was costing American companies a whopping half a billion dollars each year.

It is usually carried out by forgery of electronic communication of mail or messages, directing the user to a state similar to the original and prompting them to fill in fields with data such as user names, access keys, or bank details. 

This process is also known by the term spoofing. These attempts pretend to originate from social portals, banking institutions, or system administrators and may contain links to websites infected by threats. In addition, it can be used to install malicious software on the victim’s system and can be used as a platform for other types of attacks, such as advanced persistent threats.

Another strategy often used is called whaling, which references whale phishing, as in the act of catching big fish. It involves searching for data and information regarding individuals with high ranks or positions, or even personalities of relevance. In this case, the attacks are usually disguised as court notices, customer complaints, or other business-related issues.

Overall, phishing is embedded in social engineering techniques used to deceive a user and exploit vulnerabilities in the current security of the Internet. Attempts to tackle the problem include the creation of legislation, education and public awareness, and the implementation of improvements in safety techniques to mitigate cybersecurity risks. However, there are other things you can do to protect yourself. 

Do not click the links

The rule of thumb is to simply not click on links in emails or messages – or, at least, verify those links before clicking them. And this is valid for all emails you receive from unknown sources, even when you receive an urgent reminder that “your password has been compromised” or that “the account is about to be disabled”.

In the vast majority of cases, these messages are false and, when you click on the link, you are prompted to log in or enter some account data, such as banking information. But keep in mind that bank sites are not always used, as there are phishing attacks for Gmail, Facebook, Amazon, Apple, or other high-profile services that have credit card details.

Read the message and find the signs

It is true that an occasional grammatical or spelling mistakes can appear in any email, but fraudulent messages are usually poorly written and with grammatical errors that denounce amateurism. It is easy to find strangely constructed sentences, such as improper use of language, a temporal error, and more.

In addition, always check the From email address, as it will almost always give the attack away. For example, quite often the email subject and content claim to be from Google, but the email address clearly is not.

Adopt security measures for all your accounts

When it comes to cybersecurity, the goal is to prevent all breaches, but sometimes accidents happen. In a situation like this, a very good workaround is to have additional security features whenever possible to further protect an account.

A very good example of this is Multi-Factor Authentication (MFA), which can be a life-saver. For example, imagine you have MFA active and running on your Facebook account, and for one reason or another, you fall victim to a phishing attack and reveal your Facebook account’s credentials (email and password) to the cybercriminals.

Because you have MFA on, and despite having clear access to your account’s credentials, they will not be able to successfully log in to the account, leaving you with enough time and space to login and change your credentials.

Do not believe in awards…

Emails that say you have won a prize and ask to click on a link and enter your personal data are almost surely a variant of the phishing attack. Not that winning prizes is unlikely but, when it happens out of the blue, suspicions should be raised.

…nor try to help needy friends

There are many phishing strategies that appeal to everyone’s soft side. The ‘stranded traveler’ is a popular and pernicious example in which victims are sent a message from a (supposed) friend or loved one, stating that he or she is stuck abroad without money (or was stolen, or some other disaster struck) and desperately needs you to send money to an emergency fund.

As you might expect, this money would disappear forever the moment you pressed the submit button. Again, the way to authenticate the situation is to directly contact the person who allegedly sent the message.


Most phishing strategies have common themes, so it is useful to review them. Put simply, do not click on links, do not provide account details, or send money unless you know for sure the messages are real and are from whom they claim. Also, banks will hardly ever request personal or account-related details over email. If you keep an eye out for these red flags, you stand a much better chance at preventing a phishing attack.  If you host your data on the cloud, it is always the best idea to make sure all best practices are in place and your VPS is secure.

Learn More About

Table of Contents