eastbaycyber

Spear Phishing: Definition, How It Works, and How to Spot It

Glossary 8 min read
EC
East Bay Cyber Editorial Team Reviewed 2026-05-16
Definition

Spear phishing is a targeted form of phishing where an attacker tailors a message to a specific individual, team, or organization to trick them into revealing credentials, sending money, approving access, or sharing sensitive data. Unlike generic phishing blasts, spear phishing uses personal or business context to appear legitimate.

Spear phishing is a targeted phishing attack that uses personal or business-specific context to trick a particular person (or role/team) into taking a risky action—like entering credentials, approving MFA, sending money, or sharing sensitive data. Unlike mass phishing blasts, spear phishing is tailored to your org, your workflow, and your relationships (coworkers, executives, vendors).

How spear phishing works

Spear phishing typically follows a repeatable playbook: collect context, impersonate someone trusted, create urgency, and drive the victim to a risky action.

1) Recon: attackers gather credible details

Attackers often build a profile of the target and their workflow. Common sources include:

  • Public info: LinkedIn job roles, org charts, press releases, conference bios
  • Company websites: staff directories, vendor pages, invoices/contact emails
  • Data breaches: previously leaked passwords, emails, phone numbers
  • Prior compromises: hijacked email threads or shared documents
  • Social media: travel, family details, projects (“launch week,” “quarter close”)

The goal is to make the message “fit” your environment—right tone, right timing, right names.

2) Delivery: email, chat, SMS, or collaboration tools

Email is still the most common channel, but spear phishing is frequently delivered via:

  • Microsoft Teams, Slack, Google Chat
  • SMS (“smishing”) and voice calls (“vishing”)
  • Shared doc invites (Google Drive/OneDrive)
  • Calendar invites or meeting “updates”

Attackers choose channels where users are trained to respond quickly and where security controls may be weaker than email gateways.

3) Deception: impersonation and lookalike infrastructure

Spear phishing succeeds when the sender looks trusted. Common techniques:

  • Display-name spoofing (e.g., “CFO Name” random@gmail.com)
  • Lookalike domains (typosquatting): examp1e.com, exampIe.com (capital I), or added words like example-payments.com
  • Compromised real accounts (harder to spot): vendor or coworker mailbox takeover
  • Reply-chain hijacking: attacker replies inside a real existing email thread
  • Fake login pages: “Microsoft 365 session expired” or “Doc shared with you”
  • QR codes in emails to bypass link scanning (“quishing”)

4) The ask: what the attacker wants

Spear phishing is almost always tied to a high-value action:

  • Credential theft: sign in to a fake SSO/M365/Google login
  • MFA fatigue: “Approve this sign-in—IT needs it now” with repeated push prompts
  • Payment fraud: change bank details, “new wire instructions,” “urgent invoice”
  • Gift cards: classic executive impersonation scam
  • Data theft: payroll files, W-2s, customer lists, HR documents
  • Malware delivery: “invoice” attachments, booby-trapped docs, HTML smuggling, or links to payloads

The most dangerous spear phishing isn’t flashy—it looks like normal work.

5) Follow-through: persistence and lateral movement

If the attacker gets access, they may:

  • Set inbox rules to hide replies (“move all messages with ‘invoice’ to Archive”)
  • Add OAuth app permissions (token-based persistence)
  • Create forwarding to external addresses
  • Pivot into finance systems, VPN, HR portals, or shared drives
  • Use stolen context to spear phish others internally (“internal phishing”)

How to spot spear phishing (practical signals)

Red flags in the message and request

Look for combinations of these signals (any one alone can be legitimate, but patterns matter):

  • A new sender domain for an existing vendor or coworker
  • Slight domain variations (vendor-support.com vs vendor.com)
  • Reply-To differs from From
  • Unusual time-of-day aligned to urgency (late Friday, end of quarter)
  • Pressure language: “confidential,” “I’m in a meeting,” “don’t call,” “need this now”
  • Requests to bypass process: “use my personal email,” “send to this new account”
  • A “normal” request paired with a risky step (e.g., “review doc” → prompts login)

If your team regularly deals with security investigations, teaching staff to recognize an indicator of compromise (IOC) can help bridge end-user reporting and SOC triage. See: what is an ioc

Technical notes: common indicators in real environments

Look for these email traits (not definitive alone, but suspicious in combination): - New sender domain for an existing vendor
- Slight domain variations (vendor-support.com vs vendor.com)
- Reply-To differs from From
- Unusual time-of-day aligned to urgency (late Friday, end of quarter)
- Pressure language: “confidential,” “I’m in a meeting,” “don’t call,” “need this now”
- Requests to bypass process: “use my personal email,” “send to this new account”

Mail log / header checks (practitioner quick triage):

Authentication-Results:
  spf=fail (sender IP not authorized)
  dkim=none
  dmarc=fail (p=reject/quarantine) header.from=lookalike-domain.tld
From: "CEO Name" <random-mailbox@unrelated.tld>
Reply-To: "CEO Name" <ceo.name@lookalike-domain.tld>

Hunt for suspicious mailbox rules (Microsoft 365 example):

# Requires Exchange Online PowerShell
Get-InboxRule -Mailbox user@company.com |
  Select Name,Enabled,Priority,From,SubjectContainsWords,BodyContainsWords,RedirectTo,ForwardTo,DeleteMessage

# Check for external forwarding addresses
Get-Mailbox user@company.com | Select DeliverToMailboxAndForward,ForwardingSmtpAddress

Common phrasing patterns worth alerting users about:

"Are you available?"
"Quick favor"
"Send me the payroll report"
"Update our bank details"
"I can’t talk right now—just do it"
"Share the OneDrive link"
"Approve the sign-in request"

When you’ll encounter spear phishing

Spear phishing often appears at moments when teams are rushed, processes change, or money/data is moving.

High-risk business scenarios

  • Quarter-end / year-end close: finance staff get “urgent” invoice and wire requests
  • Payroll cycles: HR receives “update direct deposit” or “send W-2 list”
  • New vendor onboarding: attackers impersonate vendors with plausible invoices
  • Mergers, acquisitions, restructures: attacker uses public announcements to craft believable pretexts
  • Executive travel: “I’m boarding—can you handle this?” scams spike
  • Helpdesk/IT projects: “SSO migration,” “mailbox upgrade,” “password reset” lures

Roles most commonly targeted

  • Finance/AP/AR, treasury, controllers
  • Executives and executive assistants
  • HR and payroll
  • IT admins and helpdesk (password resets, MFA enrollment, OAuth consent)
  • Sales and customer success (invoice/payment reroutes)
  • Anyone with access to shared mailboxes, approvals, or vendor banking details

Environmental cues (what to watch for in your org)

You’re more likely to see spear phishing if:

  • Your leadership team is highly visible online
  • Vendor payments are frequent and high-value
  • MFA uses push approvals without number matching (more fatigueable)
  • External email banners are ignored or overly noisy
  • There’s no required out-of-band verification for bank detail changes

What to do if you receive a spear phishing attempt

For employees (fast response checklist)

  1. Don’t click links or open unexpected attachments.
  2. Verify out-of-band (call a known number from your directory; start a new chat thread; don’t reply to the suspicious message).
  3. Report using your org’s “report phishing” method or forward to security.
  4. If you entered credentials, change your password immediately and notify IT/security.
  5. If you approved an MFA prompt, report it as a potential account compromise.

A practical way to reduce damage from credential theft is to use strong, unique passwords and shared vault controls for teams. If you’re evaluating options, see our guide: password manager for small business 2026 (affiliate-friendly options often include 1Password; you can review it here: Try 1Password →).

For admins (short containment & scoping checklist)

If a spear-phish is reported: 1. Contain: block sender domain/address; quarantine similar messages.
2. Scope: search org-wide for the same subject, sender, or URL.
3. Verify: confirm whether any user clicked, entered creds, or approved MFA.
4. Remediate: reset credentials, revoke sessions/tokens, review inbox rules/forwarding.
5. Harden: enforce DMARC, tighten external forwarding, require verification for payment changes.

If you want a parallel “response-as-a-service” model, it’s worth understanding what MDR typically covers (triage, containment guidance, and escalation). See: what is mdr

Prevention: reduce spear phishing success rates

Strengthen identity and access basics

  • Require phishing-resistant MFA where possible (passkeys/FIDO2)
  • Disable legacy authentication (if still present)
  • Use conditional access (geo/device/risk-based policies)
  • Monitor and restrict OAuth app consent (limit token-based persistence)

Improve email and endpoint defenses (without relying on them alone)

  • Enforce SPF/DKIM/DMARC and monitor DMARC reports
  • Use attachment sandboxing and safe-link rewriting (where available)
  • Make “external sender” indicators consistent and meaningful (not banner fatigue)

Because spear phishing often leads to malware staging or credential theft that turns into endpoint activity, ensure you’re running a solid business endpoint stack. If you’re comparing tools, use: best antivirus for windows business endpoints 2026 (some teams pair endpoint protection with Malwarebytes for additional remediation workflows; see: Get Malwarebytes →).

Train for the moments that matter

Focus training on realistic workflows attackers exploit:

  • Vendor invoice changes and bank detail updates
  • “CEO needs this now” gift card or payment requests
  • HR/payroll file requests
  • “IT needs you to re-authenticate” login prompts
  • Unexpected MFA approvals

Good training reinforces one habit: verify using a separate channel when money, credentials, or sensitive data is involved.

Related terms

Phishing

Broad, often mass-distributed fraudulent messages designed to trick recipients.

Whaling

Spear phishing aimed specifically at high-profile targets (executives, board members).

Clone phishing

A legitimate email is copied and resent with a malicious link/attachment substituted.

Smishing

Phishing via SMS/text messaging.

Vishing

Phishing via phone calls or voice messages.

Quishing

QR-code-based phishing used to bypass link scanning and push users to malicious sites.

Credential harvesting

Fake login pages or OAuth consent prompts to capture usernames/passwords or tokens.

MFA fatigue / push bombing

Repeated MFA prompts sent to pressure users into approving one.

Typosquatting / lookalike domains

Domains crafted to resemble legitimate ones for impersonation.

Reply-chain hijacking (thread hijacking)

Attacker inserts messages into an existing email conversation to increase trust.

Last verified: 2026-05-16

Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.