Spear phishing attacks employ several strategies that make it more difficult to identify and more convincing than bulk phishing attacks.

Credibility based on extensive research

To make their targeted attacks more believable, spear phishers research their senders and their targets—so they can impersonate the senders effectively, and so they can present a credible story to the targets.

Many spear phishers get to know their senders and their victims through social media. With people sharing information so freely on social media and elsewhere online, cybercriminals can now find relevant and detailed information without much digging. For instance, studying a victim’s LinkedIn page might help a scammer better understand an employee’s job responsibilities and learn which vendors their organization uses, so they can more effectively impersonate a reliable sender of a fictitious invoice.

According to a report from Omdia, hackers can craft convincing spear phishing emails in very little time after general Google research. Some hackers may even hack into company email accounts or messaging apps and spend more time observing conversations to gather more detailed context on relationships.

Specific social engineering tactics

Social engineering tactics use psychological manipulation to trick people into believing false premises or taking unwise actions. Based on their research, spear phishing scammers can craft believable situations, or pretexts, as part of their messages—e.g., We’ve decided to go with a new law firm for the land deal, can you please wire the attached invoice to cover their retainer fee? They can create a sense of urgency to drive recipients to act rashly—e.g., Payment is already overdue—please send funds before midnight to avoid late fees. Some even use social engineering to keep the scam a secret—e.g., Please be discreet, keep this quiet until the deal is announced later this week.

Multiple message types

Increasingly, spear phishing scams combine messages from multiple media for added credibility. For example, spear phishing messages include phone numbers the target can call for confirmation; the numbers are answered by fraudulent reps. Some scammers followed up spear phishing emails with fraudulent SMS text messages (called smishing). More recently, scammers have followed up spear phishing emails with fake phone calls (called vishing) that used artificial intelligence-based impersonations of the alleged sender’s voice.