What is Spear Phishing?

How Spear Phishing Differs from Mass Phishing

Mass phishing casts the widest possible net: millions of emails sent with generic lures — a fake PayPal alert, a fake Microsoft password expiration notice — designed to capture any recipient who fails to recognize the deception. The success rate is low but the volume compensates. Spear phishing inverts this model: a small number of highly targeted messages crafted specifically for the intended recipients, with success rates orders of magnitude higher.

A spear phishing message for a CFO references the specific acquisition the company is rumored to be pursuing, appears to come from the deal's investment banker, and requests review of a financial document. A spear phishing message for an IT administrator references the specific infrastructure the organization runs, appears to come from the relevant vendor's support team, and requests credential confirmation to resolve a fabricated service issue. The specificity makes the deception convincing to recipients who apply normal business judgment — these messages look like legitimate business communications because they contain accurate context about the target's business.

Reconnaissance: How Spear Phishers Build Their Profiles

Effective spear phishing requires intelligence gathering about the target. LinkedIn provides professional relationships, titles, responsibilities, and reporting structures. Corporate websites and press releases reveal business activities, acquisitions, partnerships, and key personnel. Conference presentations and published research reveal technical details about the organization's systems and infrastructure. Social media reveals personal context that can be woven into pretexts. OSINT (open source intelligence) aggregators compile this information systematically, enabling attackers to build detailed profiles of targets from publicly available sources without any direct interaction.

Whaling — spear phishing specifically targeting senior executives — applies this research to the highest-value targets. A well-researched whaling attack against a CEO or CFO that convincingly impersonates a known counterpart, references real business context, and creates appropriate urgency is one of the most difficult social engineering attacks to defend against through awareness alone.

Spear Phishing Defense Strategies

Email Authentication Protocols

SPF, DKIM, and DMARC are technical protocols that defend against email sender spoofing. Properly configured, they prevent attackers from sending emails that appear to originate from the target organization's actual email domain. Most spear phishing attempts use lookalike domains and display name spoofing rather than direct domain spoofing precisely because SPF/DKIM/DMARC effectively block the simplest spoofing techniques. Mature email security requires both authentication protocol implementation and lookalike domain monitoring to catch the workarounds.

User Awareness Tailored to Targets

Generic phishing awareness training is largely ineffective against spear phishing because the messages are crafted specifically to bypass generic-awareness heuristics. Effective spear phishing defense requires role-specific training for high-value targets — executives, finance team members, HR, IT administrators — that addresses the specific spear phishing patterns each role is targeted with. The CFO receives different spear phishing than the helpdesk technician; their training should reflect that.

Verification Procedures for High-Risk Actions

Out-of-band verification procedures for high-risk actions — wire transfers, payroll changes, credential resets for privileged accounts, vendor banking detail changes — are the operational control that catches spear phishing that bypassed earlier defensive layers. A finance team member who receives a wire transfer request from the CEO calls the CEO directly, using a known phone number, before processing the transfer. The procedural friction is the point: legitimate requests survive the friction; phishing requests do not.

Related Reading

• Business Email Compromise (BEC) — the financial-fraud variant of spear phishing
• Email Security (SPF, DKIM, DMARC) — the protocol defenses against spoofed senders
• Smishing — the SMS-based phishing variant

Real-World Example: The Ubiquiti Spear Phishing — $46.7M Gone

In 2015, networking company Ubiquiti Networks lost $46.7 million to a spear phishing attack targeting its finance department. An attacker impersonating a Ubiquiti executive sent emails to the company's finance staff requesting a series of wire transfers as part of a fabricated acquisition. The emails appeared to come from Ubiquiti's own executive team and referenced internal business processes convincingly enough that the finance team processed $46.7 million in transfers to attacker-controlled accounts across multiple countries before the fraud was discovered. The company recovered approximately $8.1 million. The remainder was gone.