What Is Spear Phishing? Targeted Email Attacks

The email opened with the name of a vendor the finance lead had paid eleven times that year. It referenced the right purchase order number, used the contact's real signature block, and arrived two days after a genuine invoice from the same supplier. The only change was a single line: updated remittance bank details, effective immediately. There was no misspelling, no generic greeting, no obvious lure. The attacker had read the target's LinkedIn, found the vendor relationship in a press release, and timed the message to a real payment cycle. That is spear phishing: not a wide net, but one carefully aimed shot.

Generic phishing trades on volume. Spear phishing trades on research. The attacker studies one person or one team, then crafts a message so specific that the usual tells are gone. It is the entry point behind a large share of serious intrusions: the Verizon 2025 Data Breach Investigations Report found phishing was the initial-access vector in 16% of breaches, and that roughly 60% of all confirmed breaches involved a human action such as a click or a socially engineered request. This guide covers what spear phishing is, how it differs from phishing and whaling, the stages of a targeted attack, the signals that surface it, and the controls that actually stop it. It is written for the SOC analysts and DFIR responders who have to reconstruct how one tailored email became a breach.

What is spear phishing?

Spear phishing is a targeted phishing attack aimed at a specific individual or organization, using personalized, researched content to trick the target into handing over credentials, approving a payment, or running malware. The defining trait is precision. A generic phishing email is written once and sent to thousands. A spear-phishing email is written for one recipient, using facts about that recipient that make it believable.

The attack is social engineering first and technical second. The attacker's job is to manufacture trust: the sender looks like someone the target already deals with, the request fits a process the target already follows, and the timing matches something the target was already expecting. When all three line up, the target acts without the pause where verification would normally happen.

The payload varies. Some spear-phishing emails carry a credential-harvesting link to a fake login page that mirrors the real one. Some carry a weaponized attachment, a document or archive that drops malware when opened. Some carry no link or file at all and simply ask, in the voice of a trusted person, for a wire transfer or a password reset. What stays constant is the research behind the message and the single, specific target in front of it.

Spear phishing vs phishing vs whaling

These three terms describe the same family of email attacks at different levels of targeting. The difference is who the attacker aims at and how much research goes in.

Phishing is the broad-net version. The same message goes to thousands of addresses, betting that a small percentage will click. It prioritizes quantity over precision, which is why phishing emails often carry the generic greetings and odd phrasing that awareness training teaches people to spot.

Spear phishing narrows the net to one. The attacker researches the target, references real relationships and projects, and removes the tells that give mass phishing away. Quality replaces quantity. A single tailored message can be worth more than ten thousand generic ones because the recipient has specific reasons to trust it.

Whaling is spear phishing pointed at the top. The target is a senior executive, and the payoff is correspondingly large: authority over big transfers, access to board-level data, or the credibility to issue instructions other employees will not question. Whaling uses the same research-heavy method as spear phishing, with a higher-value target and a more elaborate pretext. Business email compromise frequently rides on whaling, impersonating a CEO or CFO to authorize a fraudulent wire.

How a spear-phishing attack works

A spear-phishing attack runs in four stages. Knowing the sequence is what lets a defender intervene before the click, not after the breach.

1. Reconnaissance. The attacker profiles the target. Open-source intelligence does most of the work: LinkedIn for roles and reporting lines, the company website and press releases for vendor and project names, social media for travel and tone, breach-dump data for old passwords and email formats. The goal is to learn who the target trusts, what they are working on, and how the people around them write.

2. Pretext and crafting. The attacker builds the message. They pick an identity the target already trusts, a vendor, a colleague, an IT admin, an executive, and write in that person's voice. The pretext supplies a believable reason for the request and a reason it cannot wait: a late invoice, a locked account, a confidential deal. Lookalike domains and display-name spoofing make the sender read correctly at a glance. AI now writes flawless, on-brand copy, which removes the broken-grammar tell that used to expose these emails.

3. Delivery and the hook. The email lands, timed where possible to a real event so it fits the target's expectations. The hook is one of three: a link to a credential-harvesting page that mirrors a real login, a weaponized attachment that drops malware, or a direct request for action in the voice of a trusted person. Urgency and authority push the target past the verification step.

4. Exploitation. The target acts. Credentials entered on the fake page flow straight to the attacker, who uses them to log in, often defeating weak MFA. A wire goes out. An attachment executes and establishes a foothold. From there the attacker moves to their real objective: lateral movement, data theft, or a larger fraud. The initial email was only the door.

How to detect spear phishing

Spear phishing is engineered to look normal, so the strongest signals live in the envelope and the context, not the polish of the body. Awareness training teaches users some of these; SOC tooling catches the rest.

• Lookalike and cousin domains. A sender domain that is one character off, swaps a TLD, or transposes letters, rn for m, .co for .com. Flag inbound mail from newly registered domains or ones visually similar to your own and your vendors'.
• Display-name and Reply-To mismatch. The display name reads "CFO Jane Doe" while the actual address is unrelated, or the From looks right but the Reply-To points elsewhere so the answer reaches the attacker. Mail clients hide the real address behind the name by default.
• Unexpected requests for credentials, payment, or data. Any email asking for a password, a banking-detail change, an urgent transfer, or sensitive records is the highest-risk pattern there is, even when the sender looks legitimate.
• Mismatched and disguised URLs. The visible link text says one thing and the actual href points somewhere else. Hover-and-check, or detonate the URL in a sandbox, before anyone clicks.
• Manufactured urgency and secrecy. "Do this now, do not tell anyone, I am in a meeting and cannot call." Urgency plus confidentiality is the lever that removes the verification step. Treat it as a flag, not a reason to hurry.
• Unsolicited attachments. A document, archive, or macro-enabled file the recipient did not expect, especially paired with instructions to enable content.

For the SOC, the useful telemetry is mail-flow logs (SPF, DKIM, and DMARC results, sender domains, Reply-To), URL-detonation and attachment-sandbox verdicts, and authentication logs that show a credential entered on a phishing page being used to sign in. Spear phishing is found by correlating reported emails with those signals, not by one filter catching bad content.

How to defend against spear phishing

No single control stops spear phishing, because it attacks people and process, not just systems. The defense is layered: authenticate mail, harden accounts, train the targets, and verify high-risk requests out of band.

Authenticate inbound mail with SPF, DKIM, and DMARC. SPF lists who may send for a domain, DKIM signs outbound mail, and DMARC tells receivers what to do when those checks fail and reports who is sending as you. A DMARC policy set to quarantine or reject makes spoofing your exact domain far harder and surfaces lookalike-domain abuse. It stops domain spoofing; it does not stop a lookalike domain or a real compromised account, so it is necessary but not sufficient.

Deploy phishing-resistant MFA. The most common spear-phishing payoff is stolen credentials, and credentials alone should not grant access. FIDO2 or passkeys, rather than SMS or push, block most credential-phishing because the attacker cannot replay a hardware-bound factor on the real login. This is the single control that most often turns a successful phish into a dead end.

Run security awareness training and realistic simulations. The targets, finance, HR, executives, IT admins, are the attack surface. Train them on the specific spear-phishing patterns, urgency, authority, banking-detail changes, lookalike senders, and run simulated spear-phishing tests against the roles attackers actually hit. Training that names the scenario beats generic "be careful online" advice.

Verify high-risk requests out of band. Any request to move money, change banking details, or reset access must be confirmed through a separate, known channel, a phone call to a number already on file, not one from the email. This is the procedural control that catches the requests authentication and filters miss. Make it mandatory, and make it apply to executives too.

Scan and detonate links and attachments. Run inbound URLs and attachments through sandbox detonation so a credential-harvesting page or a malware dropper is caught before the user reaches it. Pair it with reporting: give users a one-click way to report a suspicious email, and feed those reports to the SOC.

Frequently Asked Questions

What is spear phishing?

Spear phishing is a targeted phishing attack aimed at a specific individual or organization, using researched, personalized content to trick the target into giving up credentials, approving a payment, or running malware. Unlike mass phishing, it is written for one recipient using real facts about them, which makes it far harder to spot.

What is the difference between phishing and spear phishing?

Phishing casts a wide net with generic messages sent to thousands, betting a few will click. Spear phishing targets one specific person or team with a researched, tailored message that references real relationships and projects. Phishing prioritizes volume; spear phishing prioritizes precision and is much more likely to succeed against its target.

What is the difference between spear phishing and whaling?

Whaling is spear phishing aimed specifically at senior executives such as a CEO or CFO. Both use heavy research and personalized pretexts. Whaling targets high-value individuals for high-value outcomes, large transfers, board-level data, or the authority to issue instructions, while spear phishing can target any specific person or team.

How do attackers research spear-phishing targets?

Attackers use open-source intelligence: LinkedIn for roles and reporting lines, company websites and press releases for vendor and project names, social media for tone and travel, and breach-dump data for old passwords and email formats. The research lets them impersonate someone the target trusts and reference details that make the message believable.

How can you detect a spear-phishing email?

Watch the envelope and the context, not the polish of the body. Key signals are lookalike sender domains, a display name or Reply-To that does not match the real address, mismatched or disguised URLs, unexpected requests for credentials, payment, or data, manufactured urgency and secrecy, and unsolicited attachments. Correlate reported emails with mail-flow, sandbox, and authentication logs.

What is the best defense against spear phishing?

There is no single fix. Layer phishing-resistant MFA so stolen credentials are useless, DMARC to cut domain spoofing, security awareness training and simulations for the people attackers target, link and attachment sandboxing, and mandatory out-of-band verification for any request to move money or change access. MFA and out-of-band verification stop the most damaging outcomes.

The bottom line

Spear phishing is phishing that did its homework. The attacker researches one target, builds a message in the voice of someone that target trusts, times it to a real event, and asks for credentials, a payment, or a click, with no obvious tells to give it away. It is the initial-access vector behind a large share of serious breaches precisely because it bypasses the instincts and filters tuned for mass phishing.

The defense is layered and mostly about removing single points of failure. Authenticate mail with SPF, DKIM, and DMARC to kill domain spoofing. Deploy phishing-resistant MFA so a stolen password is not enough. Train the finance, HR, and executive roles attackers actually target, and require out-of-band verification before money or access moves. For the defender, the spear-phishing investigation lives in the same telemetry that prevents it: mail flow, URL and attachment verdicts, and the authentication logs that show a phished credential being used.