How it differs from bulk phishing: traditional phishing bets on volume (thousands of sends, low hit rate); spear phishing bets on precision (few sends, high hit rate). When the target is a senior executive it is called whaling, with executive-grade lures: legal summonses, M&A activity, board matters.
What is spear phishing
Spear phishing is the targeted variant of phishing: instead of blasting the same email to thousands of inboxes, the attacker picks a specific person or role — the treasury manager, the systems administrator, the executive assistant — and crafts a bespoke message. Before writing a single line, they do their homework: LinkedIn profiles, org charts, press releases, regular suppliers and data leaked in previous breaches. The result is an email that references real projects, mimics the tone of a colleague or a known supplier, and lands at a plausible moment. It is the most profitable email-borne application of social engineering, which is why it opens most serious intrusions.
Why it matters
Bulk phishing is stopped by filters and minimally trained users; spear phishing is engineered to defeat both. Because it is personalised, it does not trip volume-based rules, and because it cites genuine context — an order in progress, an expected invoice, last week's announced reorganisation — it disarms the recipient's suspicion. The data feeding that personalisation is cheap: OSINT over public sources plus compromised credentials from old breaches are enough to reconstruct who talks to whom and about what. That is why spear phishing is the preferred initial access of ransomware operators and the starting point for most BEC (Business Email Compromise) fraud, where the goal is not to install malware but to divert a payment. For an SME, a single well-built email can mean full encryption of its systems or the payment of a six-figure fake invoice. Executives and anyone with access to payments or infrastructure should assume they will be targeted, not wonder whether they will be.
Key points
The reconnaissance phase: before the email come weeks of OSINT — LinkedIn for the org chart and job changes, the corporate website for suppliers and projects, company registries, and data breaches for addresses, passwords and signature styles.
The lure imitates real relationships: a regular supplier changing its bank account, a colleague sharing a document, the CEO asking for something urgent and confidential to be handled from their phone. Urgency and confidentiality are the two classic levers.
It is the entry point, not the whole attack: after the click come credential theft, access to email or the VPN, lateral movement and, weeks later, ransomware or fraud. Catching the initial email cuts the chain at its cheapest point.
Technical defences: DMARC, SPF and DKIM in strict mode to make spoofing your own domain harder, external-sender banners, and phishing-resistant MFA (FIDO2/passkeys) so that stolen credentials alone are not enough.
Human defences: continuous training with realistic, personalised simulations — not the generic annual campaign — plus out-of-band verification procedures for payments and bank-detail changes, so that a single email can never authorise a transfer.
Example: the supplier invoice with new bank details
A 90-employee manufacturing firm publishes a press release about its plant expansion, complete with a photo of the operations director and a mention of the systems integrator running the project. The attacker cross-references that release with LinkedIn, identifies the accounts administrator who handles supplier payments, and finds her email address in an old breach. They register a domain nearly identical to the integrator's (one letter changed) and, timed with month-end close, send a genuine invoice — copied from a previously compromised email thread — with a note: "we have switched banks, please find the updated account ownership certificate attached".
The email sails through the filters because the domain is new and clean, the invoice is legitimate in format and amounts, and the context fits a live project. The only defence that works here is procedural: internal policy requires every bank-detail change to be verified by calling the supplier on a number already on file, never one taken from the email. The administrator calls, the integrator knows nothing about any change, and the attempt ends as an alert to the SOC and a block on the fraudulent domain. Without that thirty-second call, the £70,000 transfer would have gone out that same afternoon.
Common mistakes
- Assuming the spam filter will catch it. Spear phishing is sent in tiny volumes, from freshly registered domains or compromised legitimate mailboxes, with no obviously malicious attachments — precisely the traits reputation-based filters do not penalise.
- Training with generic bulk-phishing simulations. If employees have only ever seen crude lures full of spelling mistakes, a personalised email referencing their real project will look authentic. Simulations must match the sophistication of the real attacker.
- Protecting only the executive team. Attackers often get in through less-watched profiles — accounts payable, reception, technical staff — and escalate from there towards whoever authorises payments or manages infrastructure.
- Trusting SMS or push-notification MFA as the final barrier. Modern spear phishing kits proxy the session in real time and capture the code, or wear the user down with repeated prompts; only phishing-resistant MFA (FIDO2) closes that vector.
- Having no verification procedure for payments and bank-detail changes. Technology can fail; a simple rule — no banking change without confirmation over a channel already on file — turns the world's best spear phish into a harmless email.
Related terms
Related services
This concept may be related to services such as:
Frequently asked questions
How is spear phishing different from ordinary phishing?
In targeting and preparation. Bulk phishing sends the same generic message to thousands of recipients and relies on a small percentage falling for it. Spear phishing chooses its victim first — a specific person or role — researches their professional context and crafts a tailored message referencing real projects, colleagues or suppliers. Far fewer sends, a much higher success rate, and much harder to filter.
What is whaling and how does it relate to spear phishing?
Whaling is spear phishing aimed specifically at senior executives: CEOs, CFOs, board members. It uses lures appropriate to the role — court summonses, acquisition deals, board business — and typically seeks to authorise transfers or steal highly privileged credentials. The mechanics are identical; what changes is the victim profile and the attacker's expected return, which justifies weeks of preparation.
How do attackers gather so much information about their target?
Almost all of it is public or semi-public. LinkedIn reveals org charts, job titles and role changes; the corporate website and press releases expose projects and suppliers; company registries list directors and annual accounts. Add data breaches: email addresses, old passwords and leaked conversations that let an attacker imitate a colleague's writing style or pick up a genuine thread.
Which specific measures reduce spear phishing risk the most?
Three combined layers. Technical: DMARC on a strict policy, external-sender banners and phishing-resistant MFA such as FIDO2, which makes stolen credentials useless on their own. Procedural: mandatory out-of-band verification for payments and bank-detail changes. Human: regular, realistic simulations personalised by department, so employees have already seen the exact type of email they are going to receive.