What Is Spear Phishing? The Targeted Attack Behind Major Breaches

In 2023, MGM Resorts lost roughly $100 million after a threat actor called Scattered Spider social-engineered a help desk employee with a single phone call. The attackers had done their homework — they knew the employee's name, role, and enough personal detail to sound legitimate. That's not a random spam blast. That's spear phishing in action, and it's the technique behind the majority of the most expensive breaches in recent history.

So what is spear phishing, exactly? It's a targeted phishing attack directed at a specific individual, role, or organization. Unlike bulk phishing campaigns that cast a wide net, spear phishing messages are crafted using reconnaissance — information scraped from LinkedIn, company websites, SEC filings, or even previous data breaches. The attacker tailors the email (or call, or text) to look like it belongs in your inbox. And it works at an alarming rate.

If you're responsible for security at your organization — or if you just want to understand why this attack vector keeps making headlines — this post breaks down the mechanics, the real-world damage, and the specific steps that actually reduce your risk.

What Is Spear Phishing vs. Regular Phishing?

Regular phishing is a numbers game. A threat actor sends thousands or millions of identical emails hoping a small percentage of recipients click. The messages are generic: "Your account has been suspended," "Verify your identity," "You have a package waiting."

Spear phishing flips that model. Instead of volume, the attacker invests time in a single target. They research the victim's job title, reporting structure, current projects, and communication style. Then they craft a message that looks like it came from a boss, a vendor, or a colleague.

The Key Differences at a Glance

• Targeting: Phishing targets thousands randomly. Spear phishing targets one person or a small group deliberately.
• Personalization: Phishing uses generic lures. Spear phishing references specific names, projects, invoices, or internal processes.
• Success rate: Phishing clicks hover around 3-5%. Spear phishing campaigns routinely achieve 40-70% click rates in security assessments I've conducted.
• Damage potential: A successful spear phishing attack often leads directly to credential theft, wire fraud, ransomware deployment, or massive data breaches.

When someone asks me what is spear phishing, I tell them: it's the difference between a flyer taped to a telephone pole and a handwritten letter addressed to you by name, referencing your kid's soccer game last Saturday.

The $4.88M Reason You Should Care

IBM's 2024 Cost of a Data Breach Report pegged the global average cost of a data breach at $4.88 million — the highest figure ever recorded. Phishing and social engineering consistently rank among the top initial attack vectors in that report. And spear phishing, by its very nature, is the tip of that spear (no pun intended).

According to the FBI IC3 2023 Internet Crime Report, business email compromise (BEC) — which almost always starts with a spear phishing attack — accounted for $2.9 billion in reported losses. That's a single category. And those are only the cases people reported.

In my experience, the actual number is significantly higher. Most organizations that fall for a BEC attack don't file an IC3 complaint. They eat the loss, tighten controls, and move on quietly.

How a Spear Phishing Attack Actually Works

I've run hundreds of phishing simulations for organizations ranging from 50-person law firms to Fortune 500 companies. Here's the playbook a real attacker follows — because it's the same playbook I use (ethically) to test defenses.

Step 1: Reconnaissance

The attacker picks a target. Maybe it's your accounts payable clerk, your IT admin, or your CEO. They start gathering information:

• LinkedIn profile — job title, tenure, connections, endorsements
• Company website — org charts, press releases, executive bios
• Social media — personal details, travel plans, hobbies
• Previous data breaches — leaked email addresses, passwords, security questions
• SEC filings or public records — for larger organizations, merger activity, vendor relationships

This phase can take minutes or weeks depending on the target's value.

Step 2: Crafting the Lure

Armed with context, the attacker writes an email that passes the gut check. Examples I've seen work in real engagements:

• "Hey Sarah, Jim from Deloitte asked me to send over the updated SOW. Can you review before our Thursday call?" (with a malicious PDF attached)
• "Quick question — can you wire the retainer to the new account? Details attached. Need it before EOD." (spoofing the CEO's display name)
• "Your MFA token is expiring. Click here to re-enroll before you lose access." (linked to a credential harvesting page)

Each message leverages urgency, authority, or familiarity. The attacker may even register a lookalike domain — like yourcompany.com instead of yourcompany.com (with a subtle character swap).

Step 3: Exploitation

Once the victim clicks, the attacker either harvests credentials through a fake login portal, drops malware via a weaponized document, or establishes a foothold for lateral movement. From there, the path leads to ransomware, data exfiltration, wire fraud, or all three.

Step 4: Persistence

Good attackers don't stop at one compromised mailbox. They set up inbox rules to hide their tracks, pivot to other accounts, and maintain access for weeks or months before executing their final objective.

Real Breaches That Started with Spear Phishing

This isn't theoretical. Here are real incidents where spear phishing was the initial vector:

RSA Security (2011): An employee opened an Excel file titled "2011 Recruitment Plan" sent via spear phishing. The attacker exploited a zero-day Flash vulnerability, eventually compromising RSA's SecurID tokens — affecting thousands of defense and government clients.

Sony Pictures (2014): Attackers linked to North Korea used spear phishing emails to compromise Sony employees, leading to the leak of unreleased films, executive emails, and employee personal data. The estimated damage exceeded $100 million.

Ubiquiti Networks (2015): A spear phishing-driven BEC attack tricked finance employees into wiring $46.7 million to overseas accounts controlled by attackers.

Twitter (2020): A social engineering attack — beginning with targeted spear phishing of employees via phone — gave attackers access to internal admin tools. They hijacked high-profile accounts including those of Barack Obama, Elon Musk, and Apple.

Every one of these started with a single message aimed at a single person. That's the power of spear phishing.

Why Technical Controls Alone Won't Stop It

I love a good secure email gateway. I'm a huge advocate for multi-factor authentication. DNS filtering, DMARC, endpoint detection — deploy all of it. But here's what I've learned after years in this field: technology catches the obvious stuff, and spear phishing is never obvious.

A well-crafted spear phishing email uses a legitimate sending domain (sometimes a compromised one), contains no malware (just a link to a convincing credential page), and references real internal context. Your email filter sees a clean message from a known domain with no attachment. It sails through.

The Verizon 2024 Data Breach Investigations Report found that 68% of breaches involved a human element — meaning someone clicked, someone shared credentials, someone was manipulated. Technology is essential, but the human layer is where spear phishing succeeds or fails.

7 Practical Steps to Defend Against Spear Phishing

Here's what actually works based on organizations I've helped harden over the past decade.

1. Run Realistic Phishing Simulations — Regularly

Not once a year. Monthly or quarterly. Use scenarios that mirror actual spear phishing tactics: impersonating the CEO, spoofing vendor invoices, mimicking MFA reset alerts. Measure click rates, report rates, and credential submission rates over time. Our phishing awareness training for organizations provides exactly this kind of scenario-based education.

2. Implement Multi-Factor Authentication Everywhere

MFA won't stop someone from clicking a link, but it dramatically limits what an attacker can do with stolen credentials. Use phishing-resistant MFA (FIDO2/WebAuthn) wherever possible. SMS-based MFA is better than nothing, but it's vulnerable to SIM swapping.

3. Deploy DMARC, DKIM, and SPF

These email authentication protocols help prevent domain spoofing. CISA's Binding Operational Directive 18-01 required all federal agencies to implement DMARC. If the federal government mandates it, your organization should too.

4. Establish Out-of-Band Verification for Financial Requests

Any wire transfer, payment change, or sensitive data request received via email must be verified through a separate channel — a phone call to a known number, a face-to-face confirmation, or an internal approval workflow. This single control stops the majority of BEC losses.

5. Limit Public Exposure of Employee Information

Audit what's on your website. Do you really need a full org chart with names and titles? Encourage employees to lock down their LinkedIn privacy settings and limit what they share on social media. Every data point an attacker finds makes their spear phishing email more convincing.

6. Build a Zero Trust Architecture

Zero trust assumes every user, device, and network segment is potentially compromised. Even if an attacker gets valid credentials through spear phishing, zero trust principles — least privilege access, continuous verification, microsegmentation — limit the blast radius.

7. Invest in Ongoing Security Awareness Training

One-and-done training doesn't work. I've seen organizations check the compliance box with a single annual video and wonder why employees still click malicious links. Effective security awareness requires ongoing reinforcement, real-world examples, and hands-on practice. Our cybersecurity awareness training program covers spear phishing recognition alongside broader social engineering defense — designed to build lasting behavioral change.

Who Gets Targeted Most? It's Not Always the CEO

There's a common misconception that spear phishing only targets executives. While "whaling" (spear phishing aimed at C-suite) gets the headlines, the most common targets in my experience are:

• Accounts payable and finance staff — they authorize payments
• HR departments — they handle W-2s, SSNs, and employee data
• IT administrators — they have privileged access to systems
• Executive assistants — they manage calendars, travel, and often have access to executive email
• New employees — they don't yet know internal processes well enough to spot anomalies

If your security awareness program only covers your leadership team, you're leaving the biggest attack surface unprotected.

How to Spot a Spear Phishing Email

This is the section I want you to share with your team. Train people to check for these red flags — even when the email looks legitimate:

• Urgency + authority: "I need this done before end of day" from someone senior. Real leaders rarely email urgent wire requests without prior context.
• Unusual requests: Anything outside normal workflow — changing bank details, sharing passwords, disabling security controls.
• Slight domain variations: Look at the actual email address, not just the display name. "[email protected]" is not "[email protected]."
• Mismatched tone: If your CEO never writes "Dear colleague" and suddenly does, that's a flag.
• Unexpected attachments or links: Especially if the message creates pressure to open them immediately.

When in doubt, pick up the phone. A 30-second call to verify has prevented millions in losses.

Spear Phishing Is Evolving — AI Makes It Worse

In 2024, generative AI tools have made spear phishing dramatically easier. Attackers can now feed an AI model a target's LinkedIn posts, published articles, and social media activity, then generate a perfectly tailored message in seconds. The grammatical errors and awkward phrasing that used to be phishing red flags? Those are disappearing.

I've tested AI-generated spear phishing messages in controlled simulations this year. The click rates were 20-30% higher than manually crafted messages. The quality gap between amateur and sophisticated attackers is shrinking fast.

This means your defenses can't rely on employees spotting bad grammar. You need layered controls: technical, procedural, and human. The organizations that combine all three — email security tools, verification workflows, and continuous training through programs like our phishing awareness training — are the ones that consistently perform best in my assessments.

The Bottom Line on Spear Phishing Defense

Spear phishing isn't going away. It's getting cheaper, faster, and harder to detect. The question isn't whether your organization will be targeted — it's whether your people will recognize the attack when it lands in their inbox.

Start with realistic simulations. Layer in technical controls like MFA and DMARC. Build verification procedures for sensitive requests. And invest in security awareness training that goes beyond checking a compliance box.

The organizations that treat spear phishing as a persistent, evolving threat — not a one-time training topic — are the ones that avoid becoming the next headline.