Security terms explained — the phishing family tree: phishing, spear phishing, whaling, BEC, VEC, quishing
"Phishing" gets used as a catch-all, but the terms underneath describe meaningfully different attacks. A useful way to read the family: as the target narrows, the payload fades and trust does the work.
The family, from broad to precise
- Phishing — the broad term. Mass, untargeted lures cast wide: fake login pages, fake delivery notices, fake invoices. Low effort, low per-target success, enormous volume.
- Spear phishing — targeted phishing. The message is tailored to a specific person or team using real details (role, project, a recent event), which makes it far more convincing than a mass lure.
- Whaling — spear phishing aimed at the "big fish": executives and other high-authority targets, where one success is worth a great deal.
- BEC (Business Email Compromise) — fraud that impersonates a trusted party (an executive, a supplier) to trigger a business action: a wire transfer, a banking-detail change, a gift-card purchase. Frequently no link or attachment at all — the attack is language and authority.
- VEC (Vendor Email Compromise) — a sharp subspecies of BEC where the attacker sends from the genuine, compromised mailbox of a real vendor, inside a real thread. Nothing is spoofed, so authentication passes. (We covered this in Weekly Report #4.)
- Quishing — phishing where the link is delivered as a QR code image, to bypass URL scanners and move the click to a personal phone. (Weekly Report #2.)
Related cousins worth knowing: smishing (phishing over SMS) and vishing (voice phishing, increasingly with AI-cloned audio).
The pattern across the family
Read top to bottom and one trend is clear: the more precise the attack, the fewer technical indicators it carries. Mass phishing has malicious links and dodgy attachments to catch. By the time you reach BEC and VEC, there is often nothing to scan — just a trusted-looking request in a real conversation.
That is exactly why detection has to move from matching payloads to investigating context. The most damaging members of this family are the ones with the least to match.
Not sure which branch a suspicious email belongs to? Run it through the Analyze console and read the per-agent breakdown.