f in x
Advanced Phishing: Spear Phishing, Whaling and Business Email Compromise — Operational Guide
> cd .. / HUB_EDITORIALE
Sicurezza Informatica

Advanced Phishing: Spear Phishing, Whaling and Business Email Compromise — Operational Guide

[2026-06-07] Author: Ing. Calogero Bono

You receive an email from your CFO. Urgent. It asks for an immediate wire transfer to a supplier you don't remember. The address is correct, the name is correct, the tone is correct. You do it. Then you find out the CFO never wrote that email. The money is gone. Welcome to Business Email Compromise (BEC). This is not generic phishing: it's targeted, researched, prepared specifically for you. And it works.

Spear Phishing: When Phishing Gets Personal

Classic phishing casts wide nets: millions of emails to catch a few fish. Spear phishing targets a single individual. The attacker gathers public information (LinkedIn, corporate website, press releases, social media) and crafts a credible message. They never ask "click here to win." They ask for something normal: download a document, verify a password, approve a payment.

We at Meteora Web see it every week in the projects we receive. Companies with serious revenue get emails that appear to be from their accountant — with the right name, logo, and real references — asking to "update bank details." The request seems legitimate. The victim has no reason to doubt.

How a Spear Phishing Attack Is Prepared

Attackers follow a precise pattern:

  • Research: analyze company structure, roles, names, public emails, partners, vendors.
  • Forgery: create a similar domain (e.g., company-support.com instead of company.com) or use a spoofed address if the server lacks DMARC protection.
  • Context construction: reference an ongoing project, a tax deadline, a previous request.
  • Delivery and follow-up: the email may be followed by a phone call (vishing) to increase urgency.

Real example: a client received an email from the "IT manager" asking to install a security update. The link led to a fake Microsoft 365 login page. Anyone who entered credentials handed them to the attacker. The email was perfect: logo, footer, disclaimer.

How to Defend Against Spear Phishing

Defense is cultural before technical. Here's what works:

  • Out-of-band verification: every request to change bank details or make urgent payments must be confirmed by a phone call to a known number, not the one in the email.
  • Attention to detail: check the real sender (not just the display name). Suspicious domains become visible once you train your eye.
  • Strong MFA: multi-factor authentication blocks most credential harvesting attempts.
  • Periodic simulations: send test phishing emails to all staff (using tools like GoPhish or KnowBe4). Those who fall get training, not punishment.

Whaling: Hunting the Big Fish

Whaling is spear phishing, but the target is a whale: CEO, CFO, CTO, managing director. The potential gain is enormous, so attackers invest much more time in preparation. A single well-crafted email to an executive can yield hundreds of thousands of euros.

Why are executives vulnerable? Because they are used to making quick decisions, have direct access to company funds, and often do not receive the same security training as other employees. "I already know how it works" is the phrase that precedes disaster.

How to Spot a Whaling Attempt

Red flags:

  • Request for payment or fund transfer via email with no prior verbal communication.
  • Abnormal urgency: "must be done today" or "the supplier threatens to halt production."
  • Request to bypass standard procedures (e.g., multiple signatures, dual authorization).
  • Change of bank details for a long-term supplier with no advance notice.

Business Email Compromise (BEC): The Most Dangerous Economic Attack

BEC is a category of attacks where the attacker compromises or impersonates a legitimate email account to defraud the company. According to the FBI, global losses from BEC since 2013 exceed $50 billion. No virus, no malware: just social engineering and credible forgery.

Types of BEC

  • CEO Fraud: the sender pretends to be the CEO and asks the CFO for a transfer.
  • Account Compromise: the attacker steals an employee's credentials and uses the real account to send fraudulent requests.
  • Vendor Impersonation: the attacker poses as a supplier and asks for payment to a new IBAN.
  • Data Theft: the attacker requests sensitive data (payroll, contracts, passwords) while pretending to be a colleague or authority.

Why BEC Still Works

Because it does not exploit technical vulnerabilities. It exploits trust, urgency, and lack of procedures. We always tell our clients: a wire transfer is never authorized based on an email request alone. A dual channel is required: email + voice + possibly a signed digital authorization.

Real-World Example: The Vendor Scam

A manufacturing company receives an email from the "accountant" of its long-time raw material supplier: "Due to a bank change, the new coordinates are these. The payment for invoice 1234 must be sent here." The email comes from a similar domain (supp1ier.com with a one instead of an 'i'). The payment is executed. The real supplier never sees the money. The attacker moves the funds abroad in minutes.

Technical Tools for Preventing BEC and Spear Phishing

Technology alone is not enough, but without it defense is impossible. Here are the configurations we at Meteora Web apply on every email server we manage:

1. DMARC, SPF and DKIM — The Email Authentication Trident

Without these DNS records, anyone can send email on your behalf. Configuring them blocks domain spoofing, one of the most used techniques in BEC.

SPF (Sender Policy Framework): lists the servers authorized to send mail for your domain.

// Example SPF record for company.com
// Authorizes Google Workspace and a local server
company.com TXT "v=spf1 include:_spf.google.com ip4:192.168.1.0/24 ~all"

DKIM (DomainKeys Identified Mail): digitally signs your emails. The recipient verifies the signature against the public key published in DNS.

// Example DKIM record (provided by Google Workspace)
google._domainkey.company.com TXT "k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDQ..."

DMARC (Domain-based Message Authentication, Reporting & Conformance): tells what to do if SPF or DKIM fail. Setting p=reject blocks unauthenticated emails.

// Basic DMARC record
_dmarc.company.com TXT "v=DMARC1; p=reject; rua=mailto:dmarc-reports@company.com"

Caution: moving from p=none to p=reject must be done gradually, monitoring reports, to avoid blocking legitimate emails.

2. Anti‑phishing Filters and Sandboxing

Use an email security service that analyzes links and attachments in an isolated environment. Solutions like Mimecast, Proofpoint, or Microsoft 365 Defender native filters (if correctly configured) reduce the number of attempts that reach the inbox.

3. Mandatory Multi‑Factor Authentication (MFA)

There is no excuse for not having it. Even if an attacker steals credentials via a spear phishing email, without the second factor they cannot access the mailbox. Enforce MFA on all corporate email accounts, especially those with access to funds or sensitive data.

4. Internal Payment Policies

Establish clear rules:

  • Every request to change bank details must be verified by a phone call to the known reference number (not the one in the email).
  • Transfers above a certain threshold require dual authorization (e.g., CFO + CEO).
  • No urgent payment outside the standard cycle without recorded verbal approval.

In Summary — What To Do Now

If you've read this far, you probably already have a colleague or supplier who could fall for it. Act today:

  1. Verify your DNS records: check SPF, DKIM and DMARC. Use tools like DMARC Checker. If you don't have DMARC with p=reject, start immediately.
  2. Enable MFA on all email accounts. No exceptions. If you don't know how, contact us.
  3. Run an internal phishing simulation with a free tool like GoPhish. Those who fall go to training, not punishment.
  4. Write a procedure for bank detail changes: never by email. Always a phone call plus confirmation email from a known address.
  5. Train executives on whaling. Explain that their role makes them preferred targets. Show real examples.

BEC doesn't wait. The next email could be the right one. We see it every day. If you want help hardening your mailboxes, let's talk.

Sponsored Protocol

Ing. Calogero Bono

> AUTHOR_EXTRACTED

Ing. Calogero Bono

Co-founder di Meteora Web. Ingegnere informatico, sviluppo ecosistemi digitali ad alte prestazioni. AI, automazione, SEO tecnica e infrastrutture web. Scrivo di tecnologia per rendere complesso… semplice.

[ Read Full Dossier ]

Hai bisogno di applicare questa strategia?

Esegui il protocollo di contatto per iniziare un progetto con noi.

> INIZIA_PROGETTO

Sponsored

> MW_JOURNAL

GroWell Cap Review: LED Cap Regrows Hair After 15 Years of Baldness
2026-06-07

GroWell Cap Review: LED Cap Regrows Hair After 15 Years of Baldness

Canon and LG: Promo Codes and Deals for June 2026
2026-06-07

Canon and LG: Promo Codes and Deals for June 2026

Best Bluetooth Trackers of 2026: Buying Guide and Comparison
2026-06-07

Best Bluetooth Trackers of 2026: Buying Guide and Comparison

AI Is the New Attack Vector. Europe Is Asleep
2026-06-07

AI Is the New Attack Vector. Europe Is Asleep

NIS2 Mandatory Technical Measures: Operational Checklist for Businesses
2026-06-07

NIS2 Mandatory Technical Measures: Operational Checklist for Businesses

> READ_ALL()