Spoofing, Smishing & Whaling: The Scams Targeting Your Staff

Most people know to be wary of a dodgy email. But attackers have moved on — they now fake trusted identities, hit phones by text, and target the people with the most authority. Three terms come up a lot: spoofing, smishing and whaling. They're all relatives of phishing, and they all work by abusing trust.

What is spoofing?

Spoofing is faking the sender so a message looks like it comes from someone you trust. Email spoofing forges the "from" address so an email appears to be from your bank, a vendor, or a colleague. There's also caller-ID spoofing (the phone shows a familiar number) and domain spoofing (a lookalike website). The goal is the same: get you to trust the message and act on it.

What is smishing?

Smishing is phishing by SMS text message — "SMS" + "phishing." A text claims to be from a delivery company, your bank, the CRA/IRS, or your own boss, with a link or a request. People tend to trust texts more than email and read them faster, which is exactly why smishing works. On a phone, the warning signs (full URL, sender details) are also harder to spot.

What is whaling?

Whaling is a targeted attack aimed at the "big fish" — executives, owners, finance leads. The attacker researches the target and sends a convincing, personalised message (often impersonating the CEO to the finance team: "I'm in a meeting, please process this wire now"). Because it comes from authority and carries urgency, staff act before they verify. This overlaps with business email compromise (BEC), one of the costliest attacks for businesses.

How they work — the common pattern

Whatever the channel, the playbook is the same: impersonate someone trusted, create urgency, and ask for one action — click this link, open this file, change these payment details, or send this money. Remove any one of those and the attack usually fails.

Red flags to train your team on

• Urgency or pressure — "do this now," "don't tell anyone," "final notice."
• A sender address or phone number that's slightly off from the real one.
• Any request to change payment/bank details, or to buy gift cards.
• Links that don't match their text, or shortened links in a text message.
• A request from a "executive" that bypasses the normal process.

How to defend against them

No single tool catches everything, so defence is layered:

• Email authentication (SPF, DKIM, DMARC) to make your domain far harder to spoof, plus email-security filtering.
• Multi-factor authentication everywhere, so a stolen password or a fooled click isn't enough. (What is MFA?.)
• Security-awareness training with simulated phishing/smishing so staff recognise the patterns above.
• A verify-out-of-band rule for money and data: any payment change or urgent transfer must be confirmed by a known phone number or in person — never by replying to the message.
• EDR + monitoring to catch anything that does get through.

AiVigil builds all of this into managed cybersecurity — authentication, filtering, MFA, training and monitoring as one layered defence. The quickest way to see how exposed your team is today is a free security assessment.