What Is Spear Phishing? The Targeted Attack Behind Big Breaches

In March 2022, the FBI warned that business email compromise — a category dominated by spear phishing — cost victims over $2.4 billion in 2021 alone, making it the most financially damaging cybercrime category in the FBI IC3 Annual Report. That number dwarfs ransomware losses. So what is spear phishing, exactly, and why does it keep working against organizations that spend millions on security tools? It's a highly targeted email attack crafted for a specific individual, using personal details to make the message convincing enough to bypass both technology and human judgment.

I've investigated dozens of incidents where a single spear phishing email was the root cause of a catastrophic breach. Not a mass blast to ten thousand inboxes — one email, to one person, written so well that the recipient never questioned it. That's what makes this threat different from everything else in your inbox.

What Is Spear Phishing? A Precise Definition

Spear phishing is a social engineering attack where a threat actor sends a personalized email (or message) to a specific individual or small group within an organization. Unlike bulk phishing campaigns that cast a wide net with generic lures, spear phishing uses research — your name, your job title, your boss's name, a project you're working on — to craft a message that feels legitimate.

The goal varies. Sometimes the attacker wants your login credentials. Sometimes they want you to wire money to a fraudulent account. Other times they want you to open an attachment that installs malware or ransomware. But the method is consistent: make the target believe the message is real by making it personal.

Spear Phishing vs. Regular Phishing vs. Whaling

Regular phishing is a numbers game. A threat actor sends the same "Your account has been suspended" email to 50,000 people and waits for a few hundred to bite. Spear phishing flips that model — one carefully researched email to one carefully chosen target.

Whaling is a subset of spear phishing aimed specifically at senior executives — CEOs, CFOs, board members. The playbook is the same, but the stakes are higher because these targets have signing authority and access to sensitive systems.

Here's the critical distinction: your spam filter catches most generic phishing. Spear phishing often sails right through because the message looks like normal business communication.

How Threat Actors Build a Spear Phishing Attack

The reason spear phishing works so well is the reconnaissance phase. Attackers don't guess — they research. And in 2022, they have more open-source intelligence at their fingertips than ever before.

Step 1: Target Selection

Attackers choose targets based on access and influence. An accounts payable clerk who processes wire transfers. A system administrator with domain credentials. An executive assistant who manages the CEO's calendar. These roles show up in LinkedIn profiles, company websites, and press releases.

Step 2: Intelligence Gathering

Once the target is selected, the attacker harvests everything they can find. LinkedIn provides job titles, reporting structures, recent job changes, and professional connections. Twitter and Facebook reveal personal interests, travel plans, and communication style. Company websites publish org charts, press releases, and partner announcements.

I've seen attackers use details as specific as a conference the target attended the previous week. One investigation I worked revealed the attacker had pulled information from a court filing that named the target's attorney — then impersonated that attorney via email.

Step 3: Crafting the Lure

With this intelligence, the attacker writes an email that fits naturally into the target's workday. Common approaches include:

• An email from the target's boss requesting an urgent wire transfer
• A message from IT asking the target to verify credentials on a spoofed login page
• A document "from" a known vendor that contains a malicious macro
• A calendar invite from a colleague with a link to a credential-harvesting site

The attacker often spoofs the sender's email address or, in more sophisticated attacks, compromises a real email account first and sends the spear phishing message from a legitimate address.

Step 4: Exploitation and Lateral Movement

Once the target clicks, downloads, or enters credentials, the attacker moves fast. Stolen credentials get used immediately. Malware phones home to a command-and-control server. The attacker establishes persistence, escalates privileges, and begins moving laterally through your network. The Verizon 2022 Data Breach Investigations Report found that 82% of breaches involved the human element — and spear phishing is one of the primary vectors.

The $4.88M Lesson Most Organizations Learn Too Late

According to IBM's 2022 Cost of a Data Breach Report, the average cost of a data breach reached $4.35 million globally this year. But phishing-initiated breaches came in even higher — among the most expensive initial attack vectors studied.

Real-world examples make this concrete:

Ubiquiti Networks (2015): Attackers used spear phishing to impersonate employees and trick the finance department into transferring $46.7 million to overseas accounts controlled by the threat actors. The company disclosed the incident in an SEC filing.

RSA Security (2011): Two small groups of RSA employees received spear phishing emails with an Excel attachment titled "2011 Recruitment Plan." One employee opened it. The resulting breach compromised RSA's SecurID two-factor authentication product and affected defense contractors that relied on it.

Twitter (2020): Attackers used phone-based spear phishing (vishing) to target Twitter employees, obtaining credentials that gave them access to internal tools. They hijacked high-profile accounts including Barack Obama, Elon Musk, and Apple to run a cryptocurrency scam.

Each of these incidents started the same way — a targeted message designed to exploit trust.

Why Your Email Filters Won't Save You

I hear this constantly: "We have advanced email security, so we're covered." Here's what actually happens in my experience. Secure email gateways are excellent at catching known threats — malicious attachments with recognized signatures, URLs on blocklists, messages from known bad senders. Spear phishing deliberately avoids all of these triggers.

A well-crafted spear phishing email often contains:

• No attachment (just a link to a lookalike domain registered hours ago)
• No malware (just a credential-harvesting page)
• A spoofed sender address that passes basic checks
• Language that matches normal business communication

Technology is a necessary layer, but it's not sufficient. The Verizon DBIR data has shown this consistently for years — the human element remains the dominant factor in breaches. Your people are the last line of defense, and they need to be trained accordingly.

How to Defend Against Spear Phishing Attacks

Defending against spear phishing requires a layered approach. No single control eliminates the risk. But the combination of the right technology, processes, and training dramatically reduces your exposure.

Implement Multi-Factor Authentication Everywhere

Multi-factor authentication (MFA) is the single most effective technical control against credential theft from spear phishing. Even when an employee enters their password on a fake login page, the attacker can't use those credentials without the second factor. CISA has consistently urged all organizations to enable MFA as a baseline security measure.

Prioritize MFA on email, VPN, cloud services, and any system with access to sensitive data. Push-based MFA or hardware keys are significantly more resistant to phishing than SMS codes.

Adopt Zero Trust Principles

Zero trust architecture assumes no user or device is trusted by default — even inside your network perimeter. This limits the blast radius when a spear phishing attack succeeds. If an attacker compromises one employee's credentials, zero trust controls prevent them from freely pivoting across your environment.

Practical zero trust steps include network segmentation, least-privilege access, continuous authentication, and micro-segmentation of sensitive assets.

Run Realistic Phishing Simulations

Your employees need practice recognizing spear phishing in a safe environment before they encounter the real thing. Phishing simulations that mimic actual attacker tactics — personalized messages, spoofed internal senders, urgent requests — build the pattern recognition your team needs.

Generic, obvious simulations don't help. The simulations need to be uncomfortable. If everyone passes every time, your simulations aren't realistic enough. Our phishing awareness training for organizations builds this muscle memory through scenario-based exercises modeled on real-world attack patterns.

Train for Skepticism, Not Compliance

Checkbox security awareness training doesn't stop spear phishing. A 30-minute annual video followed by a quiz teaches people to pass quizzes, not to question a convincing email from their CFO.

Effective training teaches employees to pause before acting on urgency, verify requests through a second channel (call the sender directly), and report suspicious messages without fear of embarrassment. Our cybersecurity awareness training program focuses on building these instincts with practical, scenario-driven content your team will actually remember.

Establish Verification Procedures for Financial Requests

Every organization needs a policy that requires out-of-band verification for wire transfers, changes to payment details, and other high-value financial requests. This means picking up the phone and calling the person who supposedly sent the email — using a known number, not the one in the email signature.

This single procedural control would have prevented the Ubiquiti breach and countless BEC scams like it.

Limit Your Organization's Public Exposure

Audit what your organization and employees share publicly. Detailed org charts, employee directories with email addresses and direct phone numbers, and overshared LinkedIn profiles all feed attacker reconnaissance. You don't need to go dark, but you should be intentional about what's available.

What Should You Do If You Suspect a Spear Phishing Email?

If you receive a suspicious email that appears targeted — references your specific projects, names your colleagues, or creates unusual urgency — take these steps immediately:

• Don't click any links or open any attachments. Even hovering over links can be risky in some email clients.
• Don't reply to the sender. If the email is spoofed, you're now communicating with the attacker.
• Report it to your security team or IT department. Use your organization's designated reporting mechanism — many use a "Report Phishing" button in the email client.
• Verify the request through a separate channel. Call the supposed sender using a phone number you already have, not one in the email.
• If you already clicked or entered credentials, report it immediately. Speed matters. Your security team can reset compromised credentials and begin monitoring for unauthorized access before the attacker can exploit it.

The faster you report, the faster your team can contain the damage. Fostering a culture where reporting is encouraged — never punished — is one of the most important things your organization can do.

Spear Phishing Is Getting More Sophisticated in 2022

Threat actors are evolving their spear phishing tactics rapidly this year. I'm seeing several trends that should concern every security leader:

Compromise-then-phish attacks: Attackers compromise a vendor or partner's email account, then use that legitimate account to send spear phishing emails to their contacts. The messages come from real, trusted addresses, making detection extremely difficult.

Multi-stage attacks: Instead of going for the kill immediately, attackers build rapport. They send a benign email first — "Are you available for a quick call?" — and only deliver the malicious payload in a follow-up message after the target has already engaged.

Exploitation of hybrid work: With employees scattered across home offices and coworking spaces, the informal verification that used to happen naturally ("Hey, did you send me this?") happens less often. Attackers know this and exploit the reduced communication.

Deepfake voice calls as follow-up: Some advanced threat actors are using AI-generated voice calls to reinforce spear phishing emails, adding a layer of social engineering that makes the entire attack more believable.

These trends make it clear that static defenses and outdated training won't cut it. Your security awareness program needs to evolve as fast as the threats do.

Your People Are the Target — Make Them the Defense

Every spear phishing attack targets a person. Not a firewall. Not an endpoint agent. A human being making a split-second decision about whether an email is real. That decision is the single most consequential moment in your organization's security posture.

You can't patch human judgment with technology alone. You build it with consistent, realistic training and a culture that rewards vigilance. Start with a serious assessment of your organization's readiness. Run a phishing simulation that actually tests your people. Build verification procedures for high-risk actions. And make sure every employee — from the intern to the board member — understands exactly what spear phishing looks like and what to do when they see it.

The threat actors are doing their homework on your organization right now. Make sure your team is ready.