How is spear phishing different from regular phishing?

Mass phishing relies on volume: send to a million addresses, expect a small percentage to click. Spear phishing relies on relevance: send to ten people who fit a specific profile, expect a much larger percentage to click. Spear phishing emails reference real names, real projects, real vendors and real internal context. They typically have no spelling errors, use plausible sender domains and pass most automated filters.

What is an example of spear phishing?

An accounts-payable clerk receives an email that appears to come from a vendor she has invoices from, referencing a recent purchase order number, asking her to update the vendor's bank account details for the next payment. The attacker pulled the vendor name from a public LinkedIn post by the company, and the PO number from a job posting that mentioned the procurement system. The wire goes to the attacker's account.

How do you defend against spear phishing?

Training, process and tooling. Training: run targeted simulations at the hard-difficulty level that include real internal context, so employees recognize the pattern. Process: require out-of-band verification for any change in vendor banking details, regardless of how legitimate the request looks. Tooling: deploy DMARC, anti-spoofing controls and a one-click phish-report button so the security team gets fast visibility into ongoing campaigns.

Who is most often targeted by spear phishing?

Roles with money, access or information attackers want. The recurring high-value targets are executives (whaling), finance and accounts-payable staff (vendor invoice fraud), HR (W-2 and payroll data), IT administrators (credential-led network access) and anyone with publicly visible authority over wire transfers. People with active LinkedIn profiles, public conference appearances or media quotes are easier to research and therefore more frequently targeted.

What Is Spear Phishing? How Targeted Attacks Work

Q: What is spear phishing?

Spear phishing is phishing tailored to a specific individual or small group, using research about the target - name, role, recent activities, colleagues, projects, vendors - to craft a message that feels personal and contextually appropriate. It is the opposite of mass phishing, where attackers blast generic messages to thousands of recipients. Spear phishing campaigns are smaller in volume but far higher in success rate, and they account for a disproportionate share of high-impact breaches.

What Is Spear Phishing? How Targeted Attacks Work

Generic phishing is a numbers game. Spear phishing is a knife. The first works because someone, somewhere, will click. The second works because the message in front of you is so contextually accurate that your brain stops asking whether it's real. They share a name and a category, but operationally they're different problems with different defenses.

The definition

Spear phishing is phishing aimed at a specific individual or a small named group, customized using research about the target. The customization can be light (your real name, your manager's name) or deep (a project codename, a vendor invoice number, a Slack channel reference). The defining property is that the attacker did the homework. Mass phishing skips the homework and trades volume for hit rate; spear phishing inverts that trade.

The Verizon DBIR consistently finds that targeted social-engineering attacks account for a disproportionate share of breaches that involve significant financial loss. The IBM Cost of a Data Breach Report attributes some of the most expensive phishing-led incidents to spear phishing rather than mass campaigns.

How attackers research a target

The reconnaissance phase is the part most defenders underestimate. Walk through how a competent attacker spends 30-60 minutes on a single target before sending a message:

LinkedIn. Job title, tenure, manager, direct reports, recent promotions, named projects, named tools (in skills/endorsements), conferences attended, certifications, common contacts.
Company website and press. Org chart, named vendors, recent funding announcements, customer logos, M&A activity, executive bios.
Public job postings. Internal tool names, ERP, ticketing system, identity provider, cloud platform - job ads leak more architecture than many CISOs realize.
Conference talks and podcasts. Voice samples for AI cloning (used in vishing), names of internal projects, vendor relationships.
Data breach corpora. Old leaked credentials may not work, but they reveal naming conventions, password patterns and prior login pairs.
Social media beyond LinkedIn. Personal interests for emotional pretexts, family member names for impersonation, vacation timing for "I'm out of office, please handle this" pretexts.

This is all open-source intelligence (OSINT), all legal to gather and all surprisingly fast with modern tooling. The output is a target dossier with enough context to write a message that lands.

Three real-world spear phishing patterns

Vendor invoice fraud. An accounts-payable clerk receives a polite, well-formatted email from a real vendor's domain (often spoofed or from a lookalike), referencing a real PO number the attacker pulled from a public source, asking to update bank details for the next payment. The clerk obliges. The next payment goes to the attacker.
Calendar-aware executive impersonation. A finance director receives a message at 4:30 PM on a Friday "from" the CEO who is genuinely out of office (per LinkedIn, per a conference site, per an autoresponder). The message asks for an urgent wire to close a deal. The attacker timed the send around the CEO's actual travel.
Project-specific credential harvest. A software engineer receives an email referencing a real internal project codename ("Update on Project Helios deployment - build artifact ready for review") with a link to a cloned identity-provider login page. The codename came from a public job posting; the engineer enters credentials on the cloned page; the attacker uses them within minutes.

Why spear phishing bypasses normal training

Most security awareness training teaches employees to look for signals that don't appear in good spear phishing: spelling mistakes, generic salutations, suspicious sender names, ALL-CAPS subject lines. A competent spear-phishing message has none of these. It uses your real name, references real context, comes from a believable domain and asks for something that sounds like part of your job.

The patterns that actually identify a spear phish are subtler:

A request that bypasses normal process. "Just this once," "do it before I get back," "we'll do paperwork after."
An unusual change of channel. Switching from email to text, from text to WhatsApp, from in-person to a phone call.
A small inconsistency that you'd miss if you weren't looking. A character substitution in the domain (rn instead of m), a CC list of one person who shouldn't be there, a signature block formatted slightly differently.
Pressure that doesn't match the requester's normal style. A boss who normally writes calmly suddenly being curt and urgent.

How to train against spear phishing specifically

Mass phishing simulations at the easy difficulty level do not prepare employees for spear phishing. The cognitive context is different. To train spear-phishing detection, run hard-difficulty simulations that include real internal context - names, project references, vendor patterns - at small target groups and pair them with remediation training that explicitly teaches the pattern.

Bait & Phish ships templates at three difficulty levels (easy, regular and hard) across five intent categories. Hard-difficulty templates in our IT and Business and Banking and Finance categories are designed to resemble real spear-phishing patterns: cleaner formatting, plausible internal context, vendor-specific language. Auto-assigned remediation after a click ensures the lesson lands within minutes, not weeks. For organizations that want to push further, our team can help craft custom templates that include your actual project naming conventions and vendor patterns - a far more realistic test than off-the-shelf templates can provide. Reach out to scope custom-template work.

Process and tooling controls

Training alone won't stop spear phishing - process and tooling do most of the heavy lifting on the highest-loss scenarios.

Out-of-band verification for vendor banking changes. Phone the vendor at a known number. Always. No exceptions. This single control eliminates most vendor invoice fraud.
Dual-approval wires above a threshold. Two people, two channels, no shortcuts.
DMARC, DKIM, SPF. The basic email authentication stack reduces (but doesn't eliminate) domain spoofing.
One-click phish reporting. The earlier the security team sees one spear phish, the faster they can search the rest of the inboxes for the same campaign. The Bait & Phish Outlook add-in turns reporting into a one-click button, which raises reporting rate and reduces dwell time.
Phishing-resistant MFA. Hardware security keys or platform authenticators defeat the credential-harvest variant of spear phishing entirely.

How AI changes the spear-phishing economics

Spear phishing used to require human writing skill and target-specific reconnaissance time, which kept volumes low. Generative AI has reduced both costs sharply.

OSINT collection that took an analyst 30-60 minutes per target can now be partially automated by tooling that scrapes LinkedIn, press releases and public filings into a structured dossier. Drafting that took an attacker an hour can be done in minutes by an LLM prompted with the dossier and a few examples of legitimate corporate writing in that target's voice. Translation that used to bottleneck cross-language campaigns is now seamless.

The downstream consequence: the volume of credible spear-phishing is rising even as the per-target effort is falling. Defenders can no longer assume that a contextually accurate, well-written, personalized phishing email represents a high-effort attack worth defending only at the executive layer. The same pattern is reaching middle management and front-line staff.

The implication for training is that everyone needs the spear-phishing pattern recognition that used to be reserved for executive briefings. Hard-difficulty templates need to reach broader cohorts, and process controls - out-of-band verification for vendor banking changes, dual approval for wires - need to extend lower in the org chart than they used to. Behavior-triggered training is the only practical way to deliver this at scale; you cannot give every employee a personalized executive briefing.

Spear phishing in your insurance and compliance posture

Cyber insurance underwriters have, in recent years, started asking whether simulations cover targeted scenarios - not just bulk-template drills. SOC 2 and ISO 27001 auditors are starting to look for evidence that training reaches all employees including executives, with no carve-outs (a frequent finding when companies exempt the leadership team to avoid embarrassment). The cyber insurer phishing questions we cover elsewhere now include explicit language about executive coverage.

If you want to test how well your organization handles a hard-difficulty, contextually-realistic spear phishing simulation, start a free trial with up to 25 users and run a hard-template campaign against a small finance, IT or executive group. Or see pricing for a full rollout.

Operational lessons we've collected

A few observations from running spear-phishing-style simulations against customer environments over the years:

The first hard-difficulty campaign always shocks people. Click rates double or triple compared to easy and regular templates. That's the signal, not the failure - the gap is exactly the training opportunity.
Finance and procurement consistently outperform IT under spear pressure. Counterintuitive, but true: AP teams who deal with vendor banking changes daily often have better skepticism than IT staff who think they "won't fall for this." Train both groups; over-train the one that thinks it's immune.
Custom templates matter more than the platform's stock library at the high end. A template that uses your real procurement-system name, your real ticketing tool or your real internal Slack channel naming will outperform the most polished generic template. Bait & Phish supports custom-template work as part of larger deployments - talk to us about scoping.
Reporting rate is the leading indicator. A spear-phishing program that drives reporting rate upward is succeeding even before click rate moves. The behavior of "report when something feels off" is the durable defense; click reduction follows.
Don't run the same campaign twice in a quarter. Spear simulations need novelty. A repeated template against the same population flatlines the learning value within weeks.

Related definitions

15oct