Spear phishing vs. phishing: what’s the difference?

The simple answer: spear phishing is a special type of phishing attack.

Phishing is any cyberattack that uses malicious email messages, text messages, or voice calls to trick people into sharing sensitive data (e.g., credit card numbers or social security numbers), downloading malware, visiting malicious websites, sending money to the wrong people, or otherwise themselves, their associates or their employers. Phishing is the most common cybercrime attack vector, or method; 300,479 phishing attacks were reported to the FBI in 2022.

Most phishing is bulk phishing—impersonal messages that appear to be from a widely-known and trusted sender (e.g., a global brand), sent en masse to millions of people in hope that some small percentage of recipients will take the bait.

Spear phishing is targeted phishing. Specifically, spear phishing messages are

• sent to a specific individual or group of individuals
• highly personalized, based on research
• crafted to appear to come from a sender who has a relationship to the recipient—say, a coworker or colleague the recipient knows, or someone to whom the recipient is accountable, such as a manager or company executive.

Spear phishing attacks are much rarer than phishing attacks, but they pursue much larger or more valuable rewards and, when successful, have a much larger impact than bulk phishing scams. According to one recent report, spear phishing emails represented just 0.1 percent of all emails during a 12-month period, but accounted for 66 percent of data breaches during those same 12 months. In one high-profile spear phishing attack, scammers stole more than USD 100 million from Facebook and Google by posing as legitimate vendors and tricking employees into paying fraudulent invoices.

Spear phishing attacks employ several strategies that make it more difficult to identify and more convincing than bulk phishing attacks.

To make their targeted attacks more believable, spear phishers research their senders and their targets—so they can impersonate the senders effectively, and so they can present a credible story to the targets.

Many spear phishers get to know their senders and their victims through social media. With people sharing information so freely on social media and elsewhere online, cybercriminals can now find relevant and detailed information without much digging. For instance, studying a victim’s LinkedIn page might help a scammer better understand an employee’s job responsibilities and learn which vendors their organization uses, so they can more effectively impersonate a reliable sender of a fictitious invoice.

According to a report from Omdia, hackers can craft convincing spear phishing emails in very little time after general Google research. Some hackers may even hack into company email accounts or messaging apps and spend more time observing conversations to gather more detailed context on relationships.

Social engineering tactics use psychological manipulation to trick people into believing false premises or taking unwise actions. Based on their research, spear phishing scammers can craft believable situations, or pretexts, as part of their messages—e.g., We’ve decided to go with a new law firm for the land deal, can you please wire the attached invoice to cover their retainer fee? They can create a sense of urgency to drive recipients to act rashly—e.g., Payment is already overdue—please send funds before midnight to avoid late fees. Some even use social engineering to keep the scam a secret—e.g., Please be discreet, keep this quiet until the deal is announced later this week.

Increasingly, spear phishing scams combine messages from multiple media for added credibility. For example, spear phishing messages include phone numbers the target can call for confirmation; the numbers are answered by fraudulent reps. Some scammers followed up spear phishing emails with fraudulent SMS text messages (called smishing). More recently, scammers have followed up spear phishing emails with fake phone calls (called vishing) that used artificial intelligence-based impersonations of the alleged sender’s voice.

Spear phishing attacks are divided further into subtypes, based on who the attacks target, or who they impersonate.

Business email compromise (BEC), is a spear phishing email scam that attempts to steal money or sensitive data from a business.

In a BEC attack, a cybercriminal (or cybercriminal gang) sends employees of the target organization emails that appear to be from a manager or fellow employee—or from a vendor, partner, customer or other associate known to the recipient. The emails are written to trick the employees into paying fraudulent invoices, making wire transfers to bogus bank accounts, or sending sensitive information to someone who allegedly needs it. (In rarer cases, BEC scammers may try to spread ransomware or malware by asking victims to open an attachment or click a malicious link.)

Some BEC scammers take the extra step of stealing or obtaining the sender’s email account credentials (username and password) and sending the email directly from that sender’s actual account. This makes the scam appear more authentic than one sent from even the most carefully impersonated or spoofed email account.

In a special type of BEC attack, called CEO fraud, the scammer masquerades as a high-ranking executive, pressuring lower-level employees to wire funds or disclose sensitive data.

Whale phishing is a spear phishing attack that targets the highest-profile, highest-value victims—or “whales”—including board members, C-level management, and non-corporate targets like celebrities and politicians. Whale phishers know these individuals have things only high-value targets can provide, including large sums of cash, access to highly valuable or highly confidential information, and reputations worth protecting. Unsurprisingly, whaling attacks typically require much more detailed research than other spear phishing attacks.

In August 2022, cloud-based communication giant Twilio suffered a sophisticated spear phishing attack that compromised its network.

Phishers targeted Twilio employees using fake SMS text messages that appeared to come from the company’s IT department. The messages claimed the employees’ passwords had expired or their schedules had changed and directed them to a fake website that required them to reenter their login credentials. To make the phishing scam even more realistic, the hackers included “Twilio,” “Okta,” and “SSO” (short for single sign-on) in the fake website’s URL to further convince employees to click the malicious link.

Using the login credentials from employees who fell for the messages, the scammers broke into Twilio’s corporate network.

The phishing scam made news not only because of its sophistication—with one expert calling it “one of the more sophisticated long-form hacks in history”—but also because of Twilio’s unique position as a B2B company, servicing many other tech companies. As a result, several other tech companies found themselves implicated in the phishing scam, including Twilio-owned Authy, a two-factor authentication service, and Signal, an encrypted messaging app that used Twilio for SMS verification services.

Ultimately, the Twilio attack impacted over 163 of its customer organizations, including 1,900 Signal accounts. Further, it proved that spear phishing attacks like the one Twilio faced are becoming increasingly common.

Email security tools, antivirus software, and multi-factor authentication are all critical first lines of defense against phishing and spear phishing. Organizations also increasingly rely on security awareness training and phishing simulations to better educate their employees on the dangers and tactics of phishing and spear phishing attacks.

However, no security system is complete without state-of-the-art threat detection and response capabilities to catch cybercriminals in real time and mitigate the impact of successful phishing campaigns.

IBM QRadar® SIEM applies machine learning and user behavior analytics (UBA) to network traffic alongside traditional logs for smarter threat detection and faster remediation. In a recent Forrester study, QRadar SIEM helped security analysts save more than 14,000 hours over three years by identifying false positives, reduce time spent investigating incidents by 90%, and reduce their risk of experiencing a serious security breach by 60%.* With QRadar SIEM, resource-strained security teams have the visibility and analytics they need to detect threats rapidly and take immediate, informed action to minimize the effects of an attack.

*The Total Economic Impact™ of IBM QRadar SIEM is a commissioned study conducted by Forrester Consulting on behalf of IBM, April 2023. Based on projected results of a composite organization modeled from four interviewed IBM customers. Actual results will vary based on client configurations and conditions and, therefore, generally expected results cannot be provided.