Phishing, Spear Phishing, and Whaling
Distinguish mass phishing from targeted spear phishing and executive-level whaling attacks, and learn the red flags in malicious emails.
Social Engineering Through Email
Email remains the most common initial access vector in cyberattacks. Phishing exploits human psychology — creating urgency, authority, or fear — to trick recipients into clicking malicious links, opening infected attachments, or surrendering credentials. Unlike technical vulnerabilities that can be patched, human susceptibility to social pressure cannot be eliminated with a software update. Security+ candidates must understand the spectrum of phishing attacks, from mass campaigns targeting millions of random recipients to highly targeted messages crafted for a specific individual.
Mass Phishing: Volume Over Precision
Mass phishing (or bulk phishing) sends the same malicious email to thousands or millions of addresses simultaneously, relying on the sheer volume of targets to achieve a small percentage of success. Common lures include fake banking alerts, package delivery notifications, password expiration warnings, and tax refund offers. The emails are generic — the attacker does not know the recipients personally. Despite low sophistication, mass phishing campaigns generate enormous numbers of victims globally and are responsible for the majority of credential theft incidents.
# Typical mass phishing email red flags:
# - Sender domain differs from claimed company (paypa1.com vs paypal.com)
# - Generic salutation ('Dear Customer' instead of name)
# - Urgency trigger ('Your account will be closed in 24 hours')
# - Mismatched URL (displayed text differs from actual hyperlink)
# - Poor grammar/spelling (though AI has reduced this indicator)
# - Unexpected attachment (.exe, .zip, .docm with macros)All lessons in this course
- Phishing, Spear Phishing, and Whaling
- Vishing, Smishing, and Pretexting
- Physical Social Engineering: Tailgating and Baiting
- Security Awareness Training and Anti-Phishing Controls