What is Spear Phishing?

How Spear Phishing Differs from Mass Phishing

Mass phishing casts the widest possible net: millions of emails sent with generic lures — a fake PayPal alert, a fake Microsoft password expiration notice — designed to capture any recipient who fails to recognize the deception. The success rate is low but the volume compensates. Spear phishing inverts this model: a small number of highly targeted messages crafted specifically for the intended recipients, with success rates orders of magnitude higher.

A spear phishing message for a CFO references the specific acquisition the company is rumored to be pursuing, appears to come from the deal's investment banker, and requests review of a financial document. A spear phishing message for an IT administrator references the specific infrastructure the organization runs, appears to come from the relevant vendor's support team, and requests credential confirmation to resolve a fabricated service issue. The specificity makes the deception convincing to recipients who apply normal business judgment — these messages look like legitimate business communications because they contain accurate context about the target's business.

Reconnaissance: How Spear Phishers Build Their Profiles

Effective spear phishing requires intelligence gathering about the target. LinkedIn provides professional relationships, titles, responsibilities, and reporting structures. Corporate websites and press releases reveal business activities, acquisitions, partnerships, and key personnel. Conference presentations and published research reveal technical details about the organization's systems and infrastructure. Social media reveals personal context that can be woven into pretexts. OSINT (open source intelligence) aggregators compile this information systematically, enabling attackers to build detailed profiles of targets from publicly available sources without any direct interaction.

Whaling — spear phishing specifically targeting senior executives — applies this research to the highest-value targets. A well-researched whaling attack against a CEO or CFO that convincingly impersonates a known counterpart, references real business context, and creates appropriate urgency is one of the most difficult social engineering attacks to defend against through awareness alone.

Defending Against Spear Phishing

Technical controls that are highly effective against mass phishing have limited effectiveness against well-crafted spear phishing. Email authentication — DMARC, DKIM, SPF — prevents exact-domain spoofing but does not prevent lookalike domain impersonation or attacks from compromised legitimate accounts. Spam filters trained on mass phishing patterns may not recognize highly targeted messages with legitimate-looking domains and personalized content.

The most effective defense against spear phishing targeting high-value individuals is reducing the value of credential compromise through phishing-resistant MFA — FIDO2 hardware keys or passkeys. An attacker who successfully phishes an executive's credentials through a sophisticated spear phishing campaign cannot access accounts protected by hardware key MFA, because the hardware key is bound to the legitimate domain and cannot be proxied. For the most targeted individuals in an organization — executives, IT administrators, finance staff — phishing-resistant MFA is the control that breaks the spear phishing business model.

Real-World Example: The Ubiquiti Spear Phishing — $46.7M Gone

In 2015, networking company Ubiquiti Networks lost $46.7 million to a spear phishing attack targeting its finance department. An attacker impersonating a Ubiquiti executive sent emails to the company's finance staff requesting a series of wire transfers as part of a fabricated acquisition. The emails appeared to come from Ubiquiti's own executive team and referenced internal business processes convincingly enough that the finance team processed $46.7 million in transfers to attacker-controlled accounts across multiple countries before the fraud was discovered. The company recovered approximately $8.1 million. The remainder was gone.