What is spear phishing?

Like all phishing scams, spear phishing involves manipulating victims through fake stories and fraudulent scenarios. Spear phishing attacks can be conducted through email messages, text messages, chat apps or phone calls.

According to IBM’s Cost of a Data Breach Report, phishing is the most common cause of data breaches. Spear phishing is one of the most effective forms of phishing because cybercriminals tailor their scams to be as convincing as possible to their targets.

In a report from Barracuda that analyzed 50 billion emails, researchers found that spear phishing accounted for less than 0.1% of the emails but led to 66% of successful breaches.¹ While the average breach caused by phishing costs USD 4.76 million according to the Cost of a Data Breach report, spear phishing attacks can climb as high as USD 100 million.²

Spear phishing, a form of social engineering attack, exploits human nature rather than network vulnerabilities. To effectively counter this, cybersecurity teams must combine employee education with advanced threat detection tools, forming a robust defense against this insidious threat.

Phishing is a broad category that includes any social engineering attack that uses fraudulent messages to manipulate victims. Spear phishing is a subset of phishing that focuses on a carefully chosen target.

A classic phishing attack, also called “bulk phishing,” is a numbers game. Hackers craft fraudulent messages that appear to come from trusted businesses, organizations or even celebrities.

Hackers send these phishing messages to hundreds or thousands of people, hoping to trick some of them into visiting fake websites or giving up valuable information like social security numbers.

However, spear phishing attacks are targeted attacks aimed at specific individuals who have access to assets the cybercriminals want.

Spear phishers set their sights on a particular person or group, like a corporate executive or a company’s regional sales directors. They conduct extensive research on their targets’ personal and professional lives and use their findings to craft highly credible scam messages.

Most spear phishing attacks follow a four-step process:

1. Setting an objective 
2. Choosing a target
3. Researching the target 
4. Crafting and sending the phishing message

Many spear phishing scams aim to steal large sums of money from organizations. Spear phishers can do this in a few ways. Some trick their victims into making a payment or wire transfer to a fraudulent vendor. Others manipulate targets into sharing credit card numbers, bank account numbers or other financial data.

Spear phishing campaigns can also have other damaging objectives:

• Spreading ransomware or other malware. For example, a threat actor can send a malicious email attachment disguised as a harmless Microsoft Word document. When the victim opens the file, it automatically installs malware on their device.
  
  
• Stealing login credentials, such as usernames and passwords that the hacker can use to stage a larger attack. For example, the hacker might send the target a malicious link to a fraudulent “update your password” page. This fake website sends any credentials that victims enter right back to the hacker.
  
  
• Stealing sensitive information, such as customers’ or employees' personal data, intellectual property or trade secrets. For example, the spear phisher might pretend to be a colleague and ask the victim to share confidential reports.

Next, the spear phisher identifies a suitable target. The target is someone who can give the hackers access to the resources they want, either directly (such as by making a payment) or indirectly (such as by downloading spyware).

Spear phishing attempts often target midlevel, low-level or new employees with elevated network or system privileges. These employees can be less rigorous in following company policies than higher-level targets. They might also be more susceptible to pressure tactics, such as a scammer pretending to be a senior leader.

Typical victims include financial managers authorized to make payments, IT workers with administrator-level access to the network and HR managers with access to employees’ personal data.

Other types of spear phishing attacks target executive-level employees exclusively. For more information, see the “Spear phishing, whaling and BEC” section.

The attacker researches the target, looking for information that allows them to impersonate a trusted source close to the target, such as a friend, colleague or boss.

Thanks to the amount of information that people freely share on social media and elsewhere online, cybercriminals can find this information without too much digging. Many hackers can craft a convincing spear phishing email after only a couple hours of Google searching.

Some hackers go even further. They break into company email accounts or messaging apps and spend time observing their target to gather even more detailed information.

Using their research, spear phishers create targeted phishing messages that appear highly credible. The key is that these messages contain personal and professional details that the target mistakenly believes only a trusted source could know.

For example, imagine Jack is an accounts payable manager at ABC Industries. By looking at Jack’s public LinkedIn profile, an attacker might find his job title, responsibilities, company email address, boss’s name and title and business partners’ names and titles.

The hacker can use these details to send a believable email claiming to come from Jack’s boss:

Hi Jack,

I know you process the invoices from XYZ Systems. They just let me know they’re updating their payment process and need all future payments to go to a new bank account. Here’s their latest invoice with the new account details. Can you send the payment today?

The attached invoice is fake, and the “new bank account” is one that the fraudster owns. Jack delivers the money right to the attacker when he makes the payment.

A phishing email typically includes visual cues that lend further authenticity to the scam. For example, the attacker might use a spoofed email address that shows Jack’s boss’s display name but hides the fraudulent email address the attacker used.

The attacker might also CC a spoofed coworker’s email and insert a signature that features the ABC Industries company logo.

A skilled fraudster might even hack into Jack’s boss’s actual email account and send the message from there, giving Jack no reason to be suspicious.

Some fraudsters conduct hybrid spear phishing campaigns that combine phishing emails with text messages (called “SMS phishing” or “smishing”) or phone calls (called “voice phishing” or “vishing”).

For example, instead of attaching a fake invoice, the email might instruct Jack to call XYZ Systems accounts payable department at a phone number secretly controlled by a fraudster.

Because they use multiple modes of communication, hybrid spear phishing attacks are often even more effective than standard spear phishing attacks.

In addition to gaining the victims’ trust, spear phishing attacks often use social engineering techniques to psychologically pressure their targets into taking actions they shouldn’t and ordinarily wouldn’t take.

One example is impersonating a high-level company official, as in the spear phishing email in the previous section. Employees are conditioned to respect authority and are scared not to follow an executive’s orders, even if the orders are out of the ordinary.

Other common social engineering tactics include:

• Pretexting: Fabricating a realistic story or situation that the target recognizes and can relate to. For example, a spear phisher might pose as an IT worker and tell the target it is time for a regularly scheduled password update.

• Creating a sense of urgency: For example, a phisher might pose as a vendor and claim that payment for a critical service is late.

• Appealing to strong emotions: Triggering fear, guilt, gratitude or greed or referencing something the target cares about can cloud a victim’s judgment and make them more susceptible to the scam. For example, a fraudster posing as a target’s boss might promise a “reward” for “helping out with a last-minute request.”

The increasing availability of artificial intelligence (AI), specifically generative AI (gen AI), is making it easier for spear phishers to carry out sophisticated and highly effective attacks.

According to IBM's X-Force Threat Intelligence Index, it takes a fraudster 16 hours to craft a phishing email manually. With AI, fraudsters can create those messages in only five minutes.

For spear phishers specifically, AI can streamline some of the trickiest parts of the scam. For example, fraudsters can use AI to automate the extraction of information from the targets’ social media profiles. They can feed gen AI tools writing samples from the people they seek to impersonate, allowing the AI to generate more credible phishing messages.

Fraudsters can also use AI to create convincing false documents, such as fake invoices, email templates, reports and other materials. Hackers can even use AI-generated videos and voice recordings to make it even harder to differentiate between scams and real communications.

There are two notable subtypes of spear phishing attack: whaling (or “whale phishing”) and business email compromise (BEC).

The main difference between whaling and regular spear phishing is that whaling attacks specifically target the highest-profile, highest-value victims. Think board members, C-level management, celebrities or politicians. Whalers are after the quarry that only these targets can provide, such as large sums of cash or access to highly confidential information.

BEC attacks are spear phishing scams that specifically aim to rob organizations. Two common forms of BEC include:

• CEO fraud: The fraudster impersonates a C-level executive by spoofing or hijacking an email account, chat app or other communication channel. The fraudster messages one or more lower-level employees instructing them to transfer funds to a fraudulent account or make a purchase from a fraudulent vendor.
  
  

• Email account compromise (EAC): The fraudster gains access to the email account of a lower-level employee, such as a manager in finance or sales. The fraudster uses the account to send fraudulent invoices to vendors, instruct other employees to make fraudulent payments or request access to confidential data.

Successful BEC attacks are among the costliest cyberthreats, accounting for a total of USD 2.9 billion in reported losses in 2023 according to the Federal Bureau of Investigation (FBI) Internet Crime Report.³

Phishing attacks are among the most difficult cyberattacks to combat because traditional cybersecurity tools cannot always detect them. Spear phishing attacks are especially hard to intercept because their targeted nature and personalized content make them even more convincing to the average person.

However, there are steps that organizations can take to strengthen their defenses against spear phishing and reduce the chance of a successful attack: 

• Security awareness training
• Identity and access management controls
• Cybersecurity controls

Because spear phishing attacks target people, not system vulnerabilities, employee training is an important line of defense. Security awareness training can include:

• Techniques for recognizing suspicious emails, such as spoofed email addresses, poor spelling and grammar, unusually high stakes and odd requests.
  
  
• Tips on how to avoid oversharing on social networking sites.
  
  
• Organizational policies and processes for counteracting scams, such as not opening unsolicited attachments and confirming unusual payment requests through a second channel before acting on them.
  
  
• Spear phishing simulations and penetration tests, which can help employees apply what they learn and aid security teams in identifying vulnerabilities for remediation.

IAM tools, such as role-based access control and multifactor authentication (MFA), can prevent hackers from gaining access to user accounts and sensitive data. For example, if executives enable MFA on their email accounts, hackers need more than just a password to take over those accounts.

No single security control can stop spear phishing altogether, but several tools can help prevent spear phishing attacks or minimize the damage they cause.

• Email security tools, such as spam filters and secure email gateways, can help detect and divert spear phishing emails in real-time.

• Antivirus software can help neutralize malware or ransomware infections that result from spear phishing.

• Secure web gateways, firewalls and other web filtering tools can block the malicious websites that spear phishing emails drive users to.

• System and software patches can close technical vulnerabilities commonly used by spear phishers.

• Endpoint protection tools, such as endpoint detection and response (EDR) and unified endpoint management (UEM) solutions, can stop fraudsters from taking over devices, impersonating users or planting malware.

• Enterprise security solutions, such as security incident and event management (SIEM) and security orchestration, automation and response (SOAR) platforms, can help detect and intercept malicious network activity tied to spear phishing attacks.