eastbaycyber

What Is Spear Phishing?

Glossary 6 min read
EC
East Bay Cyber Editorial Team Reviewed 2026-05-13
Definition

At a basic level, spear phishing is a form of social engineering. The attacker does not rely only on technical tricks. They rely on relevance and credibility.

Spear phishing is a targeted phishing attack aimed at a specific person, team, or organization. Unlike bulk phishing, spear phishing uses personal, business, or role-specific context to make a message look legitimate and increase the chance that the target will click a link, open a file, share information, or approve a fraudulent request.

If you want broader context, see what is phishing and what is business email compromise.

How spear phishing works

Spear phishing is effective because the attacker does not need to fool thousands of people. They only need to fool the right person once.

Research the target

The attacker gathers information from public and private sources, such as:

  • Company websites
  • LinkedIn and social media
  • Press releases
  • Conference attendee lists
  • Prior data breaches
  • Email signatures
  • Vendor names and business relationships

They may look for details like:

  • Job title
  • Reporting lines
  • Travel schedules
  • Current projects
  • Finance or approval authority
  • Executive names and writing style

This research helps the attacker create a believable message.

Create a pretext

A pretext is the story behind the message. Common examples include:

  • A shared document for review
  • A password reset notice
  • A payroll or HR request
  • An invoice or payment update
  • A vendor asking for new banking details
  • An executive requesting urgent action while traveling

The more closely the message matches normal business activity, the more convincing it becomes.

Deliver the message

Spear phishing is most often delivered by email, but it can also arrive through:

  • Text messages
  • Collaboration platforms
  • Social media direct messages
  • Messaging apps
  • Phone calls combined with email

The attacker may spoof a display name, register a lookalike domain, or compromise a real mailbox to make the message appear authentic.

Trigger an action

The goal is usually to get the victim to do one of the following:

  • Enter credentials into a fake login page
  • Open a malicious attachment
  • Approve an MFA prompt
  • Reply with sensitive information
  • Transfer funds
  • Change vendor payment details

Exploit the result

Once the victim acts, the attacker may:

  • Log in with stolen credentials
  • Steal tokens or session cookies
  • Deliver malware
  • Access cloud apps and email
  • Use the compromised account to target others
  • Start or expand a business email compromise scheme

Why spear phishing is different from regular phishing

The main difference is targeting.

Regular phishing is often sent at scale with broad, generic language. Spear phishing is customized for a particular victim or group. Because it is tailored, it often looks more professional, more relevant, and more urgent.

That is why common advice like “watch for bad spelling” is not enough. Many spear phishing messages are well written and closely aligned with real business workflows.

Common spear phishing examples

Fake executive request

An attacker impersonates a senior leader and asks an assistant or finance employee to handle an urgent payment, gift card purchase, or document review.

Vendor impersonation

The attacker pretends to be a supplier and asks for payment details to be updated before the next invoice is processed.

Document-sharing lure

The message claims a contract, quote, or HR file has been shared and sends the target to a fake Microsoft 365 or Google login page.

Targeted MFA abuse

The attacker steals credentials and then pressures the target to approve repeated MFA prompts or complete a live sign-in flow on a fake site.

Internal thread hijack

After compromising one mailbox, the attacker replies within real email threads so the next victim sees what appears to be a trusted internal conversation.

When you will encounter spear phishing

You can encounter spear phishing in almost any organization, but it is especially common in roles that handle money, access, or sensitive information.

Finance and payroll teams

Attackers target these teams because they can approve payments, change banking details, or access sensitive records.

Executives and executive assistants

These users are attractive targets because they often have access, authority, and influence. Executive impersonation is also a common fraud tactic.

IT and security administrators

Attackers may target admins to steal privileged credentials or gain access to high-value systems.

These teams routinely receive contracts, invoices, applicant documents, and urgent requests, which makes tailored phishing lures easier to disguise.

Organizations with many vendors or partners

Trusted third-party relationships create openings for realistic impersonation and invoice fraud attempts.

How organizations defend against spear phishing

No single control stops every spear phishing attempt. Defense works best in layers.

Email security controls

Secure email gateways, impersonation protections, domain authentication, and link or attachment analysis can reduce exposure.

Strong identity protections

MFA, conditional access, and sign-in risk controls make credential theft less useful. For password hygiene, tools like Try 1Password → can help reduce weak or reused passwords that attackers often exploit after a successful phish.

Endpoint and malware protection

If a user opens a malicious file or script, endpoint security can help detect or contain the activity. In smaller environments, Get Malwarebytes → may be a practical addition where endpoint protection coverage needs improvement.

User reporting and awareness

People should know how to report suspicious messages quickly. Training matters most when it teaches realistic patterns, not just obvious red flags.

Verification for financial changes

Requests involving payroll updates, bank changes, or wire transfers should be confirmed through a separate trusted channel.

Monitoring and response

Security teams should be able to answer questions such as:

  • Who else received the message?
  • Did anyone click?
  • Were credentials entered?
  • Was the mailbox accessed afterward?
  • Were inbox rules created?
  • Did the account send more phishing internally?

Conclusion

Spear phishing is a targeted social engineering attack built to look credible to a specific victim or group. It is dangerous because it uses real context, believable requests, and normal business workflows to lower suspicion.

The best defense is layered: email protections, strong identity controls, endpoint security, user reporting, and clear verification processes for sensitive requests. One convincing message can start a serious incident, which is why spear phishing should be treated as both a people problem and a security operations problem.

Last verified: 2026-05-13

Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.