Spear Phishing: Definition, How It Works, and How to Spot It
Spear phishing is a targeted form of phishing where an attacker tailors a message to a specific individual, team, or organization to trick them into revealing credentials, sending money, approving access, or sharing sensitive data. Unlike generic phishing blasts, spear phishing uses personal or business context to appear legitimate.
Spear phishing is a targeted phishing attack that uses personal or business-specific context to trick a particular person (or role/team) into taking a risky action—like entering credentials, approving MFA, sending money, or sharing sensitive data. Unlike mass phishing blasts, spear phishing is tailored to your org, your workflow, and your relationships (coworkers, executives, vendors).
How spear phishing works
Spear phishing typically follows a repeatable playbook: collect context, impersonate someone trusted, create urgency, and drive the victim to a risky action.
1) Recon: attackers gather credible details
Attackers often build a profile of the target and their workflow. Common sources include:
- Public info: LinkedIn job roles, org charts, press releases, conference bios
- Company websites: staff directories, vendor pages, invoices/contact emails
- Data breaches: previously leaked passwords, emails, phone numbers
- Prior compromises: hijacked email threads or shared documents
- Social media: travel, family details, projects (“launch week,” “quarter close”)
The goal is to make the message “fit” your environment—right tone, right timing, right names.
2) Delivery: email, chat, SMS, or collaboration tools
Email is still the most common channel, but spear phishing is frequently delivered via:
- Microsoft Teams, Slack, Google Chat
- SMS (“smishing”) and voice calls (“vishing”)
- Shared doc invites (Google Drive/OneDrive)
- Calendar invites or meeting “updates”
Attackers choose channels where users are trained to respond quickly and where security controls may be weaker than email gateways.
3) Deception: impersonation and lookalike infrastructure
Spear phishing succeeds when the sender looks trusted. Common techniques:
- Display-name spoofing (e.g., “CFO Name” random@gmail.com)
- Lookalike domains (typosquatting):
examp1e.com,exampIe.com(capital I), or added words likeexample-payments.com - Compromised real accounts (harder to spot): vendor or coworker mailbox takeover
- Reply-chain hijacking: attacker replies inside a real existing email thread
- Fake login pages: “Microsoft 365 session expired” or “Doc shared with you”
- QR codes in emails to bypass link scanning (“quishing”)
4) The ask: what the attacker wants
Spear phishing is almost always tied to a high-value action:
- Credential theft: sign in to a fake SSO/M365/Google login
- MFA fatigue: “Approve this sign-in—IT needs it now” with repeated push prompts
- Payment fraud: change bank details, “new wire instructions,” “urgent invoice”
- Gift cards: classic executive impersonation scam
- Data theft: payroll files, W-2s, customer lists, HR documents
- Malware delivery: “invoice” attachments, booby-trapped docs, HTML smuggling, or links to payloads
The most dangerous spear phishing isn’t flashy—it looks like normal work.
5) Follow-through: persistence and lateral movement
If the attacker gets access, they may:
- Set inbox rules to hide replies (“move all messages with ‘invoice’ to Archive”)
- Add OAuth app permissions (token-based persistence)
- Create forwarding to external addresses
- Pivot into finance systems, VPN, HR portals, or shared drives
- Use stolen context to spear phish others internally (“internal phishing”)
How to spot spear phishing (practical signals)
Red flags in the message and request
Look for combinations of these signals (any one alone can be legitimate, but patterns matter):
- A new sender domain for an existing vendor or coworker
- Slight domain variations (
vendor-support.comvsvendor.com) - Reply-To differs from From
- Unusual time-of-day aligned to urgency (late Friday, end of quarter)
- Pressure language: “confidential,” “I’m in a meeting,” “don’t call,” “need this now”
- Requests to bypass process: “use my personal email,” “send to this new account”
- A “normal” request paired with a risky step (e.g., “review doc” → prompts login)
If your team regularly deals with security investigations, teaching staff to recognize an indicator of compromise (IOC) can help bridge end-user reporting and SOC triage. See: what is an ioc
Technical notes: common indicators in real environments
Look for these email traits (not definitive alone, but suspicious in combination):
- New sender domain for an existing vendor
- Slight domain variations (vendor-support.com vs vendor.com)
- Reply-To differs from From
- Unusual time-of-day aligned to urgency (late Friday, end of quarter)
- Pressure language: “confidential,” “I’m in a meeting,” “don’t call,” “need this now”
- Requests to bypass process: “use my personal email,” “send to this new account”
Mail log / header checks (practitioner quick triage):
Authentication-Results:
spf=fail (sender IP not authorized)
dkim=none
dmarc=fail (p=reject/quarantine) header.from=lookalike-domain.tld
From: "CEO Name" <random-mailbox@unrelated.tld>
Reply-To: "CEO Name" <ceo.name@lookalike-domain.tld>
Hunt for suspicious mailbox rules (Microsoft 365 example):
# Requires Exchange Online PowerShell
Get-InboxRule -Mailbox user@company.com |
Select Name,Enabled,Priority,From,SubjectContainsWords,BodyContainsWords,RedirectTo,ForwardTo,DeleteMessage
# Check for external forwarding addresses
Get-Mailbox user@company.com | Select DeliverToMailboxAndForward,ForwardingSmtpAddress
Common phrasing patterns worth alerting users about:
"Are you available?"
"Quick favor"
"Send me the payroll report"
"Update our bank details"
"I can’t talk right now—just do it"
"Share the OneDrive link"
"Approve the sign-in request"
When you’ll encounter spear phishing
Spear phishing often appears at moments when teams are rushed, processes change, or money/data is moving.
High-risk business scenarios
- Quarter-end / year-end close: finance staff get “urgent” invoice and wire requests
- Payroll cycles: HR receives “update direct deposit” or “send W-2 list”
- New vendor onboarding: attackers impersonate vendors with plausible invoices
- Mergers, acquisitions, restructures: attacker uses public announcements to craft believable pretexts
- Executive travel: “I’m boarding—can you handle this?” scams spike
- Helpdesk/IT projects: “SSO migration,” “mailbox upgrade,” “password reset” lures
Roles most commonly targeted
- Finance/AP/AR, treasury, controllers
- Executives and executive assistants
- HR and payroll
- IT admins and helpdesk (password resets, MFA enrollment, OAuth consent)
- Sales and customer success (invoice/payment reroutes)
- Anyone with access to shared mailboxes, approvals, or vendor banking details
Environmental cues (what to watch for in your org)
You’re more likely to see spear phishing if:
- Your leadership team is highly visible online
- Vendor payments are frequent and high-value
- MFA uses push approvals without number matching (more fatigueable)
- External email banners are ignored or overly noisy
- There’s no required out-of-band verification for bank detail changes
What to do if you receive a spear phishing attempt
For employees (fast response checklist)
- Don’t click links or open unexpected attachments.
- Verify out-of-band (call a known number from your directory; start a new chat thread; don’t reply to the suspicious message).
- Report using your org’s “report phishing” method or forward to security.
- If you entered credentials, change your password immediately and notify IT/security.
- If you approved an MFA prompt, report it as a potential account compromise.
A practical way to reduce damage from credential theft is to use strong, unique passwords and shared vault controls for teams. If you’re evaluating options, see our guide: password manager for small business 2026 (affiliate-friendly options often include 1Password; you can review it here: Try 1Password →).
For admins (short containment & scoping checklist)
If a spear-phish is reported:
1. Contain: block sender domain/address; quarantine similar messages.
2. Scope: search org-wide for the same subject, sender, or URL.
3. Verify: confirm whether any user clicked, entered creds, or approved MFA.
4. Remediate: reset credentials, revoke sessions/tokens, review inbox rules/forwarding.
5. Harden: enforce DMARC, tighten external forwarding, require verification for payment changes.
If you want a parallel “response-as-a-service” model, it’s worth understanding what MDR typically covers (triage, containment guidance, and escalation). See: what is mdr
Prevention: reduce spear phishing success rates
Strengthen identity and access basics
- Require phishing-resistant MFA where possible (passkeys/FIDO2)
- Disable legacy authentication (if still present)
- Use conditional access (geo/device/risk-based policies)
- Monitor and restrict OAuth app consent (limit token-based persistence)
Improve email and endpoint defenses (without relying on them alone)
- Enforce SPF/DKIM/DMARC and monitor DMARC reports
- Use attachment sandboxing and safe-link rewriting (where available)
- Make “external sender” indicators consistent and meaningful (not banner fatigue)
Because spear phishing often leads to malware staging or credential theft that turns into endpoint activity, ensure you’re running a solid business endpoint stack. If you’re comparing tools, use: best antivirus for windows business endpoints 2026 (some teams pair endpoint protection with Malwarebytes for additional remediation workflows; see: Get Malwarebytes →).
Train for the moments that matter
Focus training on realistic workflows attackers exploit:
- Vendor invoice changes and bank detail updates
- “CEO needs this now” gift card or payment requests
- HR/payroll file requests
- “IT needs you to re-authenticate” login prompts
- Unexpected MFA approvals
Good training reinforces one habit: verify using a separate channel when money, credentials, or sensitive data is involved.
Related terms
Broad, often mass-distributed fraudulent messages designed to trick recipients.
Spear phishing aimed specifically at high-profile targets (executives, board members).
Fraud involving impersonation or compromised email accounts to steal money or data (often via wire transfer or invoice scams).
A legitimate email is copied and resent with a malicious link/attachment substituted.
Phishing via SMS/text messaging.
Phishing via phone calls or voice messages.
QR-code-based phishing used to bypass link scanning and push users to malicious sites.
Fake login pages or OAuth consent prompts to capture usernames/passwords or tokens.
Repeated MFA prompts sent to pressure users into approving one.
Domains crafted to resemble legitimate ones for impersonation.
Attacker inserts messages into an existing email conversation to increase trust.