There are many forms of phishing and spear phishing is one of them. But what is it exactly? And how does it work? These are questions we will answer in this article. We will also explain the difference between phishing and spear phishing. Read our article if you are not familiar with this phenomenon and would like to know how you can protect your organisation against it.

What is spear phishing?

Spear phishing is a type of cyber attack that specifically targets individuals or organisations through personalised and deceptive tactics. Unlike traditional phishing attacks that cast a wide net, spear phishing is more focused and tailored to specific individuals. The aim is to trick them into divulging sensitive information or performing harmful actions.

The difference with phishing

In comparison to traditional phishing, spear phishing is like a highly targeted spear thrown by an attacker, aiming at a specific target rather than a wide group of people. The attackers gather detailed information about their targets, such as their job roles, interests, or even personal relationships, to make their messages appear genuine and trustworthy.

It’s important to understand that spear phishing attacks are not random acts. In fact they are carefully crafted campaigns that exploit human vulnerabilities and trust.

Stages of an attack

Spear phishing attacks involve several stages and components that work together to deceive and exploit individuals. Let’s take a closer look at how these attacks unfold:


Before launching this type of attack, the attacker conducts thorough research on their targets. They gather information from various sources. You can think of social media profiles, company websites, or leaked databases, to understand the target’s role, interests, and connections. This reconnaissance helps the attacker craft personalised and convincing messages.

Spoofing and impersonation

In spear phishing, attackers often employ spoofing techniques to make their messages appear legitimate. They may forge the sender’s name or use a domain name that closely resembles a trusted organisation. By impersonating someone the target knows or trusts, such as a colleague, a superior, or a familiar service provider, the attacker gains credibility and increases the chances of success.

The attackers not only mimic the identity of a legitimate organisation through email. They may also use other types. You could think of telephone calls (also known as vishing for voice-phishing) for example. But even text messages (often referred to as smishing for SMS-phishing) are being used as an attack method.

Personalised deception

Spear phishing attacks are highly tailored to the individual target. Attackers use social engineering techniques to manipulate emotions and create a sense of urgency or fear. They may reference specific events, projects, or personal details to make the email or message seem genuine. By exploiting trust, the attacker tricks the target into taking actions that benefit the attacker’s objectives, such as clicking on malicious links, downloading infected attachments, or revealing sensitive information.

Why does it occur?

The intention is the same for almost all forms of phishing: money. Either by selling sensitive information, denying access to documents/systems (ransomware), or by directly transferring money to a fraudulent account.

How to protect against spear phishing?

Criminals use social media and other publicly available information to identify a specific target within an organisation and create a fraudulent email addressed to that individual. It is therefore advisable that employees share as little information as possible on the internet and social media.

Due to the accuracy with which these attacks are carried out, they are usually not stopped by standard security measures. As a result, detecting them is becoming increasingly complex. Employees should therefore also be aware of the possible forms of this type of phishing and how to recognise them. A cybersecurity awareness training is the most suitable means for this.


What are some warning signs of a spear phishing email?

Watch out for suspicious email addresses, grammatical errors, urgent requests for personal information or money, unexpected attachments or links, and requests for sensitive data via email. Be cautious if the email appears to be from a known contact but the content or tone is unusual.

How can attackers gather personal information for spear phishing attacks?

Attackers gather personal information through various means, including social media profiles, public databases, leaked data from previous breaches, and even through direct interactions or reconnaissance activities targeting individuals or organisations.

What are the potential consequences of falling victim to a spear phishing attack?

Falling victim to a spear phishing attack can result in unauthorised access to personal or sensitive information, financial loss, identity theft, damage to reputation, malware infections, and potential disruptions to business operations.