What Is Spear Phishing? A Targeted Attack Guide for Business

The Difference Between Phishing and Spear Phishing

Standard phishing sends the same message to thousands or millions of recipients, hoping that a small percentage will be fooled. The emails are generic — 'Your account has been suspended', 'You have a package waiting', 'Verify your password' — and obvious to anyone paying attention.

Spear phishing is fundamentally different. The attacker targets a specific individual and researches that person before crafting the email. The message references their actual name, their role, their colleagues, their current projects, their clients or recent public events relevant to their business. It appears to come from someone the recipient knows and trusts, regarding something they would plausibly be involved in.

The result is an email that looks convincingly legitimate — because it is built around real information about a real person.

How Attackers Research Their Targets

The reconnaissance phase of a spear phishing attack is increasingly systematic, and AI tools have made it faster. Attackers gather information from:

• LinkedIn: Role, responsibilities, reported-to relationships, recent activity, connections
• Company website: Team pages, recent news, client announcements, case studies
• Social media: Twitter/X, Instagram, Facebook — personal and professional activity
• Previous data breaches: Email address and password combinations from historical breaches confirm active email addresses
• Public company information: Companies House filings, press releases, procurement notices

A sophisticated attacker spending one hour on reconnaissance can build a detailed picture of a target's professional relationships, current projects and likely concerns — enough to craft a highly convincing email.

Common Spear Phishing Scenarios

Business Email Compromise (BEC)

The most financially damaging variant. The attacker impersonates a senior executive (CEO, Finance Director) and emails a finance team member with an urgent request to transfer funds to a new bank account. The email references real context — 'For the acquisition I mentioned in our call last week' — and uses pressure and urgency to discourage verification.

Over £4 million was stolen from UK law firms alone through BEC in a single reporting year, and financial businesses, professional services and large commercial organisations are equally targeted.

IT Help Desk Impersonation

The attacker impersonates the recipient's IT support team, referencing a specific software tool or system the target uses. The email asks the target to verify credentials, install a 'security update', or click a link to 'resolve an urgent account issue'.

Vendor and Invoice Fraud

The attacker impersonates a known supplier and sends a revised invoice with updated banking details. The email references recent real interactions with the vendor and uses plausible language. Without telephone verification of the change, payments are directed to the attacker's account.

Whaling

Whaling is spear phishing targeting senior executives specifically — 'whales' in criminal slang. These attacks are more resource-intensive but the potential payoff is higher: executives have authority over financial transactions, access to sensitive data and credibility for follow-on attacks against employees.

Why Spear Phishing Is Harder to Defend Against

Standard email filters excel at detecting generic phishing — known malicious domains, bulk sending patterns, generic content. Spear phishing attacks bypass many of these controls because:

• They are sent in small volumes or individually, avoiding bulk-sending reputation triggers
• They may come from legitimate email accounts (compromised legitimate accounts or lookalike domains that pass SPF checks)
• The content appears relevant and contextual rather than generic and suspicious
• They may not contain malicious links or attachments — some BEC attacks involve no technical payload at all, relying purely on social engineering

This is why AI-based behavioural email filtering — which analyses writing style, relationship history, and contextual anomalies — provides better protection against spear phishing than signature-based filtering.

Defences Against Spear Phishing

Technical Controls

• AI-based impersonation detection: Microsoft Defender for Office 365 and third-party email security platforms analyse email metadata, writing patterns and sender-recipient relationships to flag impersonation attempts even when technical indicators are absent
• DMARC with reject policy: Prevents attackers from sending emails that spoof your domain — so your staff cannot receive BEC emails purportedly from your own executives using your own domain
• Display name alerts: Configure your email platform to add a visible banner on emails that come from outside the organisation but display an internal name or the CEO's name as the display name
• MFA: Prevents compromised credentials (from earlier reconnaissance phishing) from being used to send spear phishing from legitimate accounts

Process Controls

• Payment verification procedure: Any request to change bank account details for a supplier or to make an urgent transfer must be verbally verified by telephone to a known number — never by replying to the email requesting the change
• Callback culture: Establish an organisational norm that verifying unexpected requests by phone is expected and not interpreted as distrust — it is a professional control, not an insult
• Training on spear phishing specifically: Generic phishing training does not prepare staff for the personalised nature of spear phishing. Training scenarios should include examples of targeted attacks using realistic personal information