By Drew Fox Jordan • October 5, 2021

    The Terms Nonprofits Need to Know About Spear-Phishing

    The Terms Nonprofits Need to Know About Spear-Phishing

    Jargon is a hallmark of all industries. Cybersecurity is no different, but using the correct security terminology has a real impact. When an organization's data and systems are threatened by spear-phishing attacks, being aware of evolving trends and the definitions of key terms could be the difference that helps prevent the next threat.

    Spear-phishing is the number one threat facing businesses today. However, research still suggests that a "lack of knowledge and awareness about cyberattacks could hinder the growth of the spear-phishing protection market." Once you've read our breakdown of different key terms and what they mean, you'll come away with a clearer understanding of the range of sophisticated inbound email threats.


    Spear-phishing describes an advanced impersonation phishing attack directed at specific individuals or companies. Similar to "bulk" phishing, spear-phishing attacks aim to trick people into taking action like transferring funds or clicking on a malicious link. However, in contrast to bulk phishing, attackers often gather and use personal information about their target to increase their probability of success. In addition, because spear-phishing emails are low-volume and more sophisticated in their construction and convincing execution, they are far more challenging for traditional email security products to catch.

    CEO/Executive fraud

    CEO fraud is a type of spear-phishing attack where attackers impersonate a CEO or another high-level executive. Here, attackers aim to trick the executive's colleagues into carrying out actions that place data, money, or credentials at risk. As a result, attackers often use social engineering techniques to convey urgency and prevent targeted employees from thinking twice about following the instructions of the "CEO." 


    Whaling is related to CEO fraud, with one difference: instead of impersonating senior executives and targeting lower-ranking employees, attackers target the big fish themselves (hence the term). For example, a whaling attack might involve attackers trying to get the executive in question to divulge critical credential information or other sensitive organizational data. The attackers can then use the information to access confidential systems or make subsequent spear-phishing attacks more authentic and effective. Because they are often more likely to be targeted than rank-and-file employees, they tend to be very busy. Because of their access and influence, senior executives can be incredibly profitable targets for attackers.

    Join 30,000+ fundraising professionals that receive our weekly Sunday newsletter with industry trends, tips, and analysis delivered right to your inbox


    Forms of impersonation used in spear-phishing attacks

    Although all spear-phishing attacks revolve around impersonation of some kind, unique cases can take many forms. Attackers impersonate people on email to:

    • Steal money, data, and credentials
    • Compromise systems
    • Take certain data "hostage" until paid a ransom

    Essentially, all spear-phishing attacks use impersonation as a strategy. However, mechanisms differ from the easy (display name impersonation) to the complex (direct spoofing). Here's how we break impersonations down:

    Business Email Compromise

    According to the FBI, Business Email Compromise (BEC) attacks cost organizations $1.2B in 2018 alone. BEC is closely related to spear-phishing – and commonly confused with it – but is potentially still more damaging and severe. Attackers impersonate employees or external counterparties and send spear-phishing emails to the organization's targeted people, using social engineering techniques to convince targets to wire funds outside the organization or click on dangerous links that risk compromising systems or data.

    Domain impersonation

    These attacks involve attackers spoofing or impersonating an organization's domain to appear legitimate. There are three main kinds of domain impersonation: root, top-level, and subdomain. Below is an example of each of these impersonations, using the domain companyinc.com as a starting point:

    • Root: companyceo@companyinc-outbound.com OR companyceo@c0mpanyinc.com
    • Top-level: companyceo@companyinc.net
    • Subdomain: companyceo@companyinc.secured-email.com

    Display name impersonation

    Display name impersonations involve attackers setting deceptive display names on their email accounts to mislead recipients. This means impersonating a senior executive within a company or the name of a key supplier or partner. The technical skill required is effectively zero: most mainstream email clients offer users ways to change display names in their account settings. Display name impersonations are particularly effective when received on mobile devices because mobile email apps hide the sender's address.

    Freemail impersonation

    Freemail impersonation describes spear-phishing attacks where criminals use the fake personal email address of a senior-level executive. For example, an attacker impersonating the CEO of a nonprofit – let's use the name Phil Anthropy – could send an email from Phil.Anthropy@gmail.com to an employee working in the finance department, for example, requesting an urgent transaction. These emails will often have "Sent from my iPhone" in the signature to help convey urgency and authenticity. 

    Automatic "Out of office" replies are a valuable tool for attackers planning freemail spear-phishing campaigns. By probing lists of contacts, attackers can learn when a particular executive is out of the office. Details volunteered in OOO auto-replies may tell them how long the executive is out of the office and even where they've gone. With this knowledge, attackers are free to impersonate the executive's personal email account (or register an authentic-looking freemail address) and target the executive's colleagues with a convincing impersonation.

    Other useful terms


    Credential harvesting

    Credential harvesting is often an end goal of spear-phishing attacks. Attackers will use coercive emails to direct recipients to fake login pages or other websites, where attackers can harvest credentials. In addition, attackers can monetize credentials by selling them or using stolen account information to make purchases. Having harvested credentials, attackers can even take over email accounts and begin targeting donors within a fundraiser's portfolio.


    Many spear-phishing emails contain a payload: on email, this might be a malicious link or attachment that, when opened, triggers malware on affected devices or systems. But, increasingly, spear-phishing attacks don't have a payload at all, relying on persuasive language to coerce an employee into making a mistake. In turn, this makes these attacks especially hard for traditional security tools to defend.


    Generally, phishing attacks are sent in bulk to a large audience, meaning the attackers' language is relatively untargeted and impersonal. As a result, while phishing attacks can be successful, most attacks can be identified by traditional email security tools. As a result, attackers have evolved to rely on spear-phishing to extract organizations' money, data, and credentials.


    Ransomware attacks are growing in popularity and also need little or no technical skill to carry out. An attacker holds an organization "hostage" by deploying malicious software in a ransomware attack across critical infrastructure. The attacker will threaten to steal money or data or cripple the organization's systems unless the organization pays a ransom. Many ransomware attacks start with a spear-phishing email containing a dangerous payload.

    Social engineering

    Social engineering describes the techniques attackers use to persuade people to take a dangerous action. For example, attackers may rely on the seniority of the person they are impersonating, or create the illusion of urgency, prompting a lower-ranking employee to take the desired action. Often, attackers will build trust with a target by communicating 'normally' for periods, using entirely innocuous language: this heightens the effect of coercive language when launching an attack.


    A spoof is an impersonation in which the attacker forges an email by modifying the email address used to send the message. Many people don't know that anyone with their own mail server can specify any "From:" address when sending an email, a loophole often leveraged by more sophisticated attackers.

    See how Gravyty is helping protect your employees and your donors without slowing your fundraisers down. Schedule your demo today:

    Posts by Topic

    see all