Phishing, spear phishing, and whaling
Anyone with an online presence receives dozens of phishing attempts per day. Phishing is an email or other message designed to look as though it’s coming from a legitimate source, like your bank, and it’s successful because of volume: even if only one in 10,000 people fall for it, send out a million emails and you’ve got 100 victims.
Perhaps a phishing attempt wants you to click on a particular link to “verify your account details.” When you click the link, malware or some other code is loaded onto your device and/or network. These kinds of tricks can also route you to a legitimate-looking web page where you enter your information.
Spear phishing is the next level. Whereas phishing casts a huge net, spear fishing is an attempt designed for an individual. It may reference something more personal, perhaps something in the public record or something found through a data leak, as an attempt to legitimize the attempt.
Whaling is spear phishing but targeted toward a high-ranking official in an organization with significant access to sensitive data. You would think such personnel would be on alert for such attempts, but even prominent government officials have compromised their personal email accounts in whaling attacks.