What is Spear Phishing?

How Spear Phishing Works

A spear phishing attack follows a research-then-target sequence. The attacker begins with open-source intelligence: LinkedIn reveals the target's role, reporting relationships, current projects, and professional connections. The company website provides organizational structure, technology stack clues, and executive names. Breach databases provide email formats, potentially reused passwords, and personal details like home addresses or phone numbers. Social media adds personal context — recent travel, family details, interests — that makes fabricated scenarios more convincing.

With this research, the attacker constructs a pretext — a plausible reason for the target to take a specific action. An email appearing to come from the target's CEO referencing a specific ongoing acquisition, using internal terminology, and requesting urgent action on a wire transfer is a spear phishing attack. So is an email appearing to come from IT support referencing the target's specific laptop model and asking them to verify credentials through a linked portal.

The payload varies by objective: credential harvesting (a link to a convincing fake login page), malware delivery (an attachment that executes on open), financial fraud (a request for wire transfer or gift card purchase), or data exfiltration (a request to forward documents). The social engineering is the delivery mechanism; the payload determines the immediate damage.

Why Spear Phishing Succeeds Despite Awareness

Security awareness training consistently identifies spear phishing as a known threat. It continues to succeed because the attack is specifically designed to defeat awareness. A spear phishing email from 'the CEO' about 'the acquisition we discussed' referencing the target's actual manager and current project succeeds not because the target is unaware of phishing — but because the email contains no indicators they were trained to look for. The sender looks right. The context is right. The urgency is right. The only tell is the sender domain, and that requires careful inspection rather than a quick read.

AI has materially worsened this dynamic. Generating individually tailored spear phishing content — researching a target, constructing a convincing narrative, writing grammatically perfect text in the appropriate register — previously required hours of attacker investment per target. AI reduces this to minutes per target at near-zero marginal cost. The quality ceiling for spear phishing content has risen dramatically while the cost floor has dropped to near zero.

High-Value Targets: Who Gets Spear Phished

Spear phishing targeting follows attacker economics. The highest-value targets are those whose compromise provides the greatest access or financial return: CFOs and finance team members (wire transfer fraud, financial system access), executives (credential access to high-privilege accounts, strategic information), IT administrators (system access, credential stores), and HR personnel (W-2 fraud, payroll redirection, personnel data). In PE-backed companies, operating partners, deal team members, and portfolio company executives are targets for sophisticated threat actors who research the PE relationship and craft pretexts around deal activity.

Defending Against Spear Phishing

Technical controls address the delivery layer. Email security platforms with AI-based anomaly detection identify emails that deviate from expected sender patterns even when they pass SPF, DKIM, and DMARC validation — catching the spoofed CEO email even when the technical headers look correct. DMARC enforcement at the organizational level prevents spoofing of the organization's own domain. Link sandboxing detonates linked URLs before they reach the user.

Process controls address the action layer. Multi-channel verification requirements for financial transactions — requiring a callback to a known number before executing any wire transfer initiated by email — defeat the most financially damaging spear phishing attacks regardless of how convincing the email is. The verification call defeats the attack even if the email is perfect.

Phishing-resistant MFA addresses the credential harvest layer. Even if a spear phishing email successfully captures a user's credentials through a fake login page, phishing-resistant MFA (FIDO2, passkeys) cannot be intercepted or replayed — the attacker gets the password and cannot use it.

Spear Phishing in PE Due Diligence

For PE due diligence, spear phishing resilience is assessed through a combination of technical controls (email security platform capabilities, DMARC enforcement, MFA type) and process controls (financial authorization procedures, wire transfer verification requirements). Organizations that authorize wire transfers based solely on email instructions from executives — without secondary verification — have a structural fraud exposure that is independent of their technical security investment.

Related Reading

• What are Social Engineering Attacks?
• What is Business Email Compromise (BEC)?
• What is MFA?
• What is Email Security?
• What is Deepfake Fraud?

Ubiquiti: $46.7M Spear Phishing Wire Fraud

In 2015, Ubiquiti Networks disclosed that it had lost $46.7 million through a spear phishing attack targeting its finance department. The attackers impersonated executives and outside legal counsel in emails that directed finance employees to initiate wire transfers for a purported acquisition. The emails were convincing enough that multiple transfers were executed before the fraud was detected. Ubiquiti recovered approximately $15 million through coordination with overseas banking authorities — $31.7 million was unrecovered. The attack required no malware, no technical exploit, and no system compromise. It required only convincing emails to finance employees who had no reason to be suspicious of transfer requests from apparent executives and counsel.