Back to Navigation


This is a transcript of a podcast discussing phishing, whaling, spear fishing, and water holing; what they are, and how to protect yourself from them.

Speaker Key:   PB: Phil Brown, DW: David Whelan

PB:  Hi, it’s Phil Brown and I’m here with David Whelan. Today we are going to talk about phishing, whaling, spear fishing and water holing.

DW:  That’s right. And you do not have to have a boat to do any of them. These are all things that could come in your email, and depends on what type of threat you are receiving and on which category you fall into.

PB:  So before we get into what each term might mean to a lawyer or a paralegal, one of the things we always need to be aware of is managing our email - emails coming into the firm or coming into your home.  I guess one question would be, “Would a spam filter be enough?”

DW:  It probably will not be enough.  The interesting thing about all of these techniques is that they are not really spam. Some of them might sound like spam when we talk about them. The interesting thing that is happening with these emails is that they are being customized in a way that they look a little bit like a real email, and the more deliberate emails will actually look as though it comes from somebody you know. For example, it has an attachment you are expecting and that sort of thing.  So it really is something that your spam filter, and probably antivirus and other things, would not necessarily catch.

PB:  So let’s start with the one that most people might know, phishing with a “ph”.

DW:  Yes. Phishing with a “ph”, just like the jam band from North America.  Phishing is the most generic version of this thing.  It is an email that is sent to lots of addresses, has a subject line and some text inside that is asking you to do something.  For example, you can think of it along the lines of your bank account information has to be updated, and the instructions to “please click on this link to confirm your username and your password for your bank account”.  It is a pretty generic sort of thing and they are guessing that the bank in their email will hit a certain number of customers that actually bank at that bank, and a certain percentage of those people will click through the link and go to a page that looks like they have arrived at the bank.

PB:  When you look at the page and the URL that you are being taken to, there are usually some significant differences.

DW:  Right. The actual page itself could look identical to a page that you have logged into many times on the actual bank’s website. So if you ever do click through a link like that, and there is no reason you shouldn’t because you might actually have a link from a bank.  But do look at what the URL, the address of the web page is, for the site that you have been directed to because in most cases it will not be the bank address - it will be an address sent somewhere else.

PB:  Right. And there are usually some other links on the same page which might be, “contact us” or “update your information”, or any of another number of links.  If you click on those other links instead of just updating your info, you will often find they do not work.

DW:  That’s right. Because the people have just copied the actual website and moved it over. They are often too lazy to fill it out so it works like the real site.  And again, phishing is typical of your Nigerian print scam where you often have a sense that something is not quite right there.  But phishing starts to look a little bit like something you would want to do because it is an account or it feels like an account you think you have.  You should still be looking at the email to see if it is your bank of course, and also look for spelling errors and things like that, things that you would not expect from a corporate email or the kind of email you received.

PB:  Anyone is vulnerable to these sorts of invitations. Recently, the Canadian Department of Justice had an experience with phishing emails which they had generated internally just as a security check.

DW:  It was a great story because almost 2,000 staff at the Department of Justice clicked on the link and activated the phishing scam so it was a good test to see how many people… what was it?  It was a high percentage of the people who received it.

PB:  It was about 37%.  Now just as an example, there is one statistic that suggests there is almost 160 million of these emails floating out there every year globally.

DW:  Yes it is a staggering number.  I look in my spam folder and often find these emails in there. I look at the source, and the addresses are coming from all over the place.

PB:  So that is phishing in a nutshell. Let’s talk about some of the other ones, spearfishing, water holing, whaling and what those might be about.

DW:  Spearfishing and whaling are really the same thing.  Spearfishing is a targeted email where they have actually figured something out about you.  So if you have a LinkedIn profile for example and you talk about the company that you work for, or the types of clients that you deal with, then you might find someone who has targeted you. The email you receive looks like it is coming from those clients or it looks like it is from someone else at your company talking about those clients, so it has more details where they have actually picked you out.  It is not just the “drive-by”, “I hope someone clicks on the link” that you get in normal phishing.  Whaling is a subset of spearfishing where if you are really, really important like a CEO or something, then not only are you targeted but you are targeted in a very specific way, and essentially those are the same two categories.

PB:  Sure. So they could be partners in a law firm versus an associate or someone else.

DW:  For sure, and that is what happened to a lawyer in Pennsylvania very recently.  They received an email that looked like it was from their firm, and it had an attachment that looked like a voicemail that came from their voicemail system. When the person clicked on it, it infected their computer with ransomware.

PB:  We will talk about ransomware in another podcast, so stay tuned for that.  What about water holing?

DW:  Waterholing is an interesting mixture. It is similar to spearfishing in that they have identified you as a target but rather than sending you an email and hoping that you click on a link, they infect a website that they would expect you to go to.  So for example, lawyers in Ontario perhaps go to the “Canadian Lawyer” website to read the magazine online or some other legal publication, or perhaps visit the Law Society’s website.  Someone who is interested in water holing would actually infect that website so when you went there you would be infected by merely visiting the website. It is not the same as email but they have still targeted you in the same way.

PB:  So how best to combat these types of problems?

DW:  Well, in most cases it is common sense. And it all sounds like good common sense now, but when you are in the moment you may mistake it.  It is really a matter of thinking about what you click on. A lawyer at a recent seminar I was in asked whether it could happen just by opening an email, and in fact, it can.  If you open an email and it is displayed as a web page in HTML, and if something is running or is called from within that email, then it can immediately access and begin to download without you knowing it.  So one of the things you can do is turn off HTML emails, attachments or pictures so that you can read an email when it comes in but do not necessarily activate it.  The second thing you can do is watch those links that you click on.  If you get an email, even if it is from someone you know, move your mouse pointer over the link so that you can see the little tool tip that will pop up and tell you where it is going to go. If it does not look like where you think it is supposed to go, then do not click on it.  The other thing to do is if it is something significant, like a bank, and it is telling you that they want to verify your username and a password (it is very seldom a bank will actually do that in an email) but if it is, then close your email, go over to your web browser and type the URL to the bank and see if you can log into your account there and get the same prompt to update you information.  Do not go through the link that has been provided to you so that you do not end up on a phishing web site.

PB:  Right. And I know we spoke about this in other podcasts, this is where your internet usage policy for your law firm comes in handy. 

DW:  That’s right. It is amazing really, to think that training more than anything else will save you from phishing or a spearfishing attack, or even suffering water holing.  By training yourself and your staff to be very wary about clicking on links, and even weird links on weird web pages.  I was listening to music on my PC and a link popped up and said your player is out of date, so I clicked on the link that took me to a web page that looked just like an Adobe Flash download page. I looked at the URL and it was actually nothing to do with Adobe, but they had copied the entire page.  I am still not sure exactly where that link came from other than it came from the website that was sending me the music.  You have to be vigilant any time that something like that happens - to look at all of the indicia of the website and where you are, and that you are going where you expect to be.

PB:  That’s great. So think before you click.

DW:  There’s the answer.

PB:  Alright, that is our look at phishing, whaling, spearfishing and waterholing.  Thanks very much David.

DW:  Thanks Phil.

Terms or Concepts Explained