Spear phishing is the targeted form of phishing, aimed at a specific person or team through an email personalised from prior information about the victim. Unlike mass phishing, which throws the same bait at thousands of recipients and relies on statistics, spear phishing invests time in researching a high-value target to craft a believable message. That personalisation drives the success rate up, and it's the reason nearly every serious breach with a human component starts with a targeted email rather than a generic one. This guide explains what it is, how it differs from ordinary phishing and from BEC, how the attack is built step by step, which real cases illustrate it and what layered defence neutralises it.
Spear phishing is a technique under the umbrella of social engineering, the discipline that exploits human trust instead of a software vulnerability. Here we focus on the targeted email variant, the most profitable one for the attacker.
What spear phishing is
Spear phishing (literally "fishing with a spear") is a personalised email attack against a target chosen in advance. The attacker doesn't go after just anyone: they pick someone with access to what they want (admin credentials, the ability to authorise payments, strategic information) and adapt the message to their real context. In the MITRE ATT&CK framework, spear phishing is catalogued as technique T1566, with three sub-techniques by vehicle: malicious attachment (T1566.001), weaponised link (T1566.002) and impersonation through a third-party service such as LinkedIn or a form (T1566.003).
The operational difference from mass phishing is the effort-to-target ratio. Mass phishing is cheap, noisy and low-conversion. Spear phishing is handcrafted, quiet and high-conversion, because the message carries data only an informed insider would know.
Spear phishing versus mass phishing, whaling and BEC
These four labels overlap, and it helps to separate them:
- Mass phishing: the same email at scale, no personalisation, betting that a small percentage falls. Email filters and basic awareness stop it well.
- Spear phishing: a personalised email to a person or small group, with real data about the target. Hard to detect because it looks like legitimate communication.
- Whaling: spear phishing whose target is a senior officer (CEO, CFO, board). The technique doesn't change, the rank of the "whale" and the amount at stake do.
- BEC (Business Email Compromise): fraud in which the attacker impersonates or compromises a trusted corporate account to authorise transfers or bank-detail changes. Spear phishing is usually the entry vector for BEC, but BEC goes further: it can skip malware entirely and rely solely on deceiving an email thread.
In practice a single incident combines several labels: a spear phishing email against the CFO (whaling) that kicks off a wire-transfer fraud (BEC). For the full landscape of variants, see the types of phishing guide.
Anatomy of a spear phishing attack
A well-executed targeted attack runs through four phases. Understanding them lets you cut the chain at every link.
1. Reconnaissance with OSINT
The attacker gathers public information about the target through OSINT: LinkedIn profile (role, projects, hierarchy), org chart, press releases, GitHub repositories, conference talks, and emails leaked in prior breaches (searchable in services like HaveIBeenPwned). With tools such as theHarvester or Hunter.io they infer the corporate email format (first.last@company.com) and with Maltego they map relationships between people and domains. The result is a dossier: who the victim reports to, which suppliers they use, what project they have in hand and what tone they use internally.
2. Pretext and vector selection
With the dossier, the attacker designs a plausible pretext leaning on the classic psychological levers (authority, urgency, reciprocity): an email from the "CEO" asking for discretion, an "invoice" from a real supplier with a changed IBAN, an "HR document" that needs reviewing before Friday. They pick the vector: attachment, link to a credential page or a message through a legitimate service.
3. Weaponised email or link
The attacker registers a lookalike domain (typosquatting such as secra-es.com or homograph domains using Unicode characters that mimic Latin letters) and spoofs the sender's display name. The attachment may be a macro-enabled document, an ISO or LNK that evades filters, or an HTML with file smuggling (HTML smuggling). The link usually points to an adversary-in-the-middle reverse proxy (kits like Evilginx or EvilProxy) that mirrors the real login page, captures username, password and the already-authenticated session cookie, thereby bypassing code-based MFA.
4. Credential theft or payload delivery
If the victim enters credentials, the attacker gains access to the account or directly to the valid session. If they open the attachment, a loader runs and deploys the real payload: a keylogger to capture everything typed, a remote-access trojan or the first link of a ransomware chain. From here the attacker pivots, escalates privileges and persists.
Real spear phishing examples
Three public incidents show the impact and the variety of targets.
Twitter (July 2020). A group of attackers ran a phone spear phishing operation against Twitter employees, posed as the internal IT team and obtained credentials for administration tools. With that access they hijacked high-profile verified accounts (Obama, Biden, Musk, Apple) for a bitcoin scam. The reputational damage far exceeded the sum defrauded.
Google and Facebook (2013 to 2015). Lithuanian national Evaldas Rimasauskas impersonated Quanta Computer, a hardware manufacturer both companies genuinely used, and for two years sent fake invoices with seemingly legitimate paperwork. Google and Facebook paid over 100 million dollars in total before detecting the fraud. It's the canonical example of BEC started with a targeted email, with no malware needed.
Ubiquiti Networks (2015). By impersonating executives and external entities, attackers tricked the finance department into wiring around 46.7 million dollars to overseas accounts. The case illustrates why finance is a high-risk role and why out-of-band verification of payments is not optional.
How to identify a targeted email
Spear phishing is hard to detect precisely because it looks legitimate. These red flags, in combination, should halt the action:
- Sender domain with a minimal variation: one letter changed, a hyphen added, a recently registered domain or a long subdomain that misleads.
- Correct display name but a different real address: always look at the full address, not the name.
- Unusual request with urgency and confidentiality: "don't mention this to anyone", "it has to go out today". Urgency neutralises critical judgement.
- A change of bank details or IBAN versus the usual one in an invoice or payment communication.
- Context that is too precise: if the email knows your project, your boss and your internal vocabulary, don't take that as proof it's legitimate; that is exactly the signature of spear phishing.
- A link whose real destination doesn't match the text: hover over it before clicking.
When in doubt, the rule is one: verify through a different channel (a call, an internal message) before acting, never by replying to the email itself.
Layered defence against spear phishing
No single control stops spear phishing. Effective defence combines people, mail protocol, authentication and endpoint detection.
Role-based training for executives and finance
Generic awareness isn't enough against targeted attacks. Exposed roles (leadership, finance, HR, systems administration) need specific training on the pretexts that affect them and, above all, a mandatory out-of-band verification procedure for any bank-detail change or unusual transfer. Targeted phishing simulations of increasing difficulty train that reflex better than any poster. The practical detail is in how to avoid phishing.
DMARC, DKIM and SPF at the domain level
These three protocols prevent an attacker from sending emails impersonating your domain. SPF declares the authorised servers, DKIM cryptographically signs outgoing mail and DMARC defines what to do when a message fails the checks. The goal is DMARC in p=reject with correct SPF and DKIM for every service that sends on your behalf. Without this, directly impersonating your domain is trivial.
Phishing-resistant MFA (FIDO2/WebAuthn)
Since adversary-in-the-middle kits capture session cookies and bypass code-based or push MFA, the only MFA that solidly resists is phishing-resistant MFA based on FIDO2/WebAuthn: passkeys and physical security keys. These bind authentication to the real domain through public-key cryptography, so the credential doesn't work on the attacker's fake page. It's the recommendation of NIST (SP 800-63B, AAL3 level) and CISA for privileged accounts, finance and cloud administration.
EDR and endpoint detection
If the email arrives and the victim opens the attachment, EDR is the last technical chance: it blocks the execution of macros and loaders by behaviour, isolates the machine and notifies the SOC. Combined with an email gateway that sandboxes attachments and rewrites URLs, it closes the gap between the click and the compromise. Against voice variants that sometimes accompany the email, it's also worth reviewing what vishing is.
Frequently asked questions
How does spear phishing differ from normal phishing?
Normal (mass) phishing sends the same generic email to thousands of recipients without personalisation and relies on a small percentage falling. Spear phishing selects a specific person or team, researches their context with OSINT and builds a tailored message with real data (the boss's name, the ongoing project, the usual supplier). That personalisation makes it far more believable and harder to detect, which is why its success rate is much higher than that of mass phishing.
What is spear phishing?
It's a targeted email attack in which the attacker impersonates a trusted entity to deceive a specific target into revealing credentials, executing a malicious file or authorising a fraudulent operation. Its defining trait is the personalisation done in advance from public or leaked information about the victim.
What are real spear phishing examples?
The three most cited cases are the 2020 Twitter hack (phone spear phishing against employees to seize internal tools), the fraud against Google and Facebook between 2013 and 2015 (over 100 million dollars through fake invoices impersonating a real supplier) and the 2015 Ubiquiti case (around 46.7 million wired after impersonating executives). All three started with a targeted, believable message, not with sophisticated malware.
How does a company protect itself from spear phishing?
With layered defence: role-specific training for executives and finance, out-of-band verification procedures for payments and IBAN changes, DMARC in p=reject with DKIM and SPF, phishing-resistant MFA with FIDO2/WebAuthn on critical accounts, an email gateway with sandboxing and EDR on the endpoints. No measure is enough on its own; their value lies in reinforcing each other.
Related resources
- Types of phishing: full classification
- What is social engineering
- How to avoid phishing
- What is a keylogger
- What is vishing
- Phishing simulations
Spear phishing wins because it looks legitimate, so defence can't rest on the user's eye alone. At Secra we combine awareness and simulations targeted at high-risk roles with a review of the technical layers (DMARC, FIDO2 MFA, email filter, EDR) that shut the door on targeted email. Tell us how your defence stands today and we'll see where to reinforce it.
About the author
Secra Solutions team
Ethical hackers with OSCP, OSEP, OSWE, CRTO, CRTL and CARTE certifications, 7+ years of experience in offensive cybersecurity, and authors of CVE-2025-40652 and CVE-2023-3512.

