Spear Phishing Attacks: What They Are, How to Spot Them, and How to Stop Them
According to the FBI’s 2023 Internet Crime Report, business email compromise schemes generated more than $2.9 billion in losses in a single year. Most of those schemes begin with a targeted email sent to a specific person inside a specific organization.
Generic phishing casts a wide net and accepts low odds. Spear phishing works on a different logic: the attacker invests time studying one target, then sends a single message engineered to get past that specific person’s judgment.
This guide covers what spear phishing is and how attackers build and execute these campaigns. It also walks through how to recognize a targeted email before someone clicks, and the specific controls that reduce risk for organizations of 25 to 250 employees.
What Is Spear Phishing? Definition and Quick Comparison
Spear phishing is a targeted email attack built for a specific individual or organization. The contrast with bulk phishing is fundamental: bulk phishing sends millions of near-identical messages hoping a fraction of a percent responds. Spear phishing sends one carefully constructed message to one carefully selected target.
The defining characteristic is pre-attack research. Before drafting a single sentence, the attacker knows the target’s name, role, direct manager, active vendors, and recent business context. The message reads like it belongs in the recipient’s inbox because it was engineered for that inbox specifically.
| Generic Phishing | Spear Phishing | |
|---|---|---|
| Volume | Thousands of recipients | One or a small group |
| Personalization | None or minimal | High, target-specific |
| Research required | None | Significant |
| Per-target success rate | Very low | Significantly higher |
The “spear” signals precision: attackers pick a target, not a population. The LeadingIT blog’s phishing guide covers where spear phishing fits within the broader taxonomy, including smishing, vishing, and clone phishing.
How Spear Phishing Works: Inside the Attack
Every spear phishing campaign follows a predictable sequence. Understanding the steps makes the attack easier to recognize and defend against.
- Reconnaissance. The attacker scrapes LinkedIn profiles, the company website, press releases, and social media to map the organization’s structure. They identify who controls payments, who holds elevated system access, and what the reporting relationships look like.
- Profiling. The attacker identifies the target’s direct manager, frequent vendors, and communication patterns. A finance manager who processes invoices from a specific supplier becomes a target; so does an IT administrator responsible for a cloud email platform.
- Pretext construction. Using social engineering principles, specifically authority, urgency, familiarity, and reciprocity, the attacker crafts a message that feels completely routine. Real names, real vendors, and plausible project details appear in the email.
- Delivery. The email arrives from a spoofed or lookalike domain designed to pass a quick visual scan. The display name looks correct, the subject line is plausible, and the request appears completely routine.
- Payload. The target clicks a credential-harvesting link or opens a malware attachment. The attacker gains account access or a foothold in the organization’s systems.
Social engineering exploits human psychology rather than software vulnerabilities, and that’s what makes spear phishing effective against organizations of every size and technical sophistication. No firewall stops an employee from clicking a link in a message that appears to come from their own CFO.
Who Spear Phishing Targets and Why SMBs Are Not Safe
Attackers follow the access and the money. Inside any organization, that logic points to the same set of roles.
High-value targets include:
- Finance staff who control payment approvals, wire transfers, and vendor banking details
- HR staff with access to payroll systems and employee W-2 data
- IT administrators whose credentials unlock email platforms, file servers, and cloud infrastructure
- Executives whose approval authority can move large sums without additional review
The “we’re too small to target” assumption persists, and it is wrong. Verizon’s Data Breach Investigations Report consistently identifies phishing as one of the top initial access vectors across organizations of all sizes. Small businesses represent a significant share of breach victims in the dataset.
SMBs carry the same categories of sensitive data as larger enterprises: financial records, customer personally identifiable information (PII), and supply-chain access to larger partner organizations. The defenses protecting that data are typically lighter.
Several industry verticals carry elevated exposure:
- Healthcare (protected health information)
- Legal and professional services (privileged client data)
- Financial services
- Manufacturing firms embedded in large enterprise supply chains
Spear Phishing vs. Whaling: When the Target Is the CEO
Whaling is a sub-category of spear phishing where the target is a C-level executive, board member, or other individual whose account or approval authority carries outsized organizational impact. The elevated target is what earns the name.
These attacks run in two directions.
Targeting the executive as the victim. The attacker sends a convincing credential-harvesting message to the CEO, CFO, or general counsel. Capturing an executive’s email account opens access to sensitive documents, strategic communications, and high-authority approval chains.
Impersonating the executive to manipulate employees. This is CEO fraud. The attacker spoofs or compromises the CEO’s email address and sends a message to a finance team member requesting an urgent wire transfer to a new vendor account. The staffer complies quickly because the instruction appears to come directly from the top.
The FBI’s Internet Crime Complaint Center tracks CEO fraud under business email compromise (BEC). Losses attributed to BEC exceeded $2.9 billion in 2023 alone, driven almost entirely by this combination of perceived authority and manufactured urgency. The business email compromise guide breaks down every BEC attack type and the financial controls that stop each one.
Email alone should never be the sole authorization channel for financial transactions, regardless of who appears to be sending the request.
Spear Phishing Examples Every Business Owner Should Know
Each of these scenarios has generated real losses at real small businesses. In each case, the red flag was observable before the damage occurred.
- Vendor impersonation. An attacker registers “acme-invoices.com” when the actual vendor is “acmecorp.com.” Accounts payable receives a revised invoice with updated banking details, and the payment routes to an attacker-controlled account. The red flag: a sending domain that doesn’t exactly match the vendor’s actual website.
- HR payroll redirect. An attacker spoofs an employee’s personal email address and contacts HR, requesting a direct deposit routing update before the next pay cycle. The next paycheck routes to an attacker-controlled account instead of the real employee’s bank. The red flag: a payroll change request arriving by email, outside the normal HR portal or system workflow.
- IT credential harvest. An attacker sends a Microsoft 365 security alert to an IT administrator, linking to a convincing login page clone. The captured admin credentials provide broad access to email, shared files, and every connected cloud service. The red flag: a security alert whose sending domain doesn’t match Microsoft’s actual infrastructure.
In each case, personalization and manufactured urgency made the email persuasive. In each case, one verification step would have stopped the transaction.
How to Spot a Spear Phishing Email
Recognition is a learnable skill. These six checks cover the most common indicators of a targeted email attack:
- Verify the actual sending domain, not the display name. Display names can be set to anything; expand the sender field and read the actual email address behind it.
- Look for lookalike domains. Transposed letters (“rn” rendered as “m”), inserted hyphens, and swapped top-level domains (.net or .co in place of .com) are common tactics. The difference between “microsoft.com” and “microsofft.com” disappears in a busy inbox.
- Flag urgency language that discourages escalation. Phrases like “respond within the hour,” “don’t loop in IT on this,” or “wire before close of business” are deliberate friction-reducers. Legitimate financial and IT requests rarely prohibit a second review.
- Hover over links before clicking. Verify that the destination URL in the status bar matches the supposed sender’s actual domain. If the displayed text says one thing and the resolved link goes somewhere else, the email is malicious.
- Watch for requests that bypass standard process. Any wire transfer, payroll update, or credential change that arrives exclusively by email and skips dual-approval is a red flag regardless of who appears to be asking.
- Verify out-of-band. Call the requester using a phone number already on file, not a number provided in the email. That 30-second call has stopped six-figure fraud attempts.
How to Prevent Spear Phishing Attacks at Your Business
Prevention requires layered controls. No single tool eliminates the risk, but the combination below makes a spear phishing campaign significantly harder to execute successfully.
Security awareness training with simulated phishing tests. Employees are the primary attack surface. Regular, realistic drills build recognition skills and create a culture where reporting a suspicious email is the default response, not an embarrassment. The drills should include various forms of phishing not limited to email phishing, such as smishing. Training without simulation is awareness without accountability.
Email authentication: DMARC, DKIM, and SPF. These three DNS-based records work together to prevent attackers from sending email that appears to originate from your own domain. Without all three configured and enforced, your domain is open to impersonation by anyone.
Multi-factor authentication (MFA) on every account. Even when a phishing page captures valid credentials, MFA blocks account takeover at the login step. It is the highest-leverage single control against credential-harvesting attacks.
Advanced email filtering. AI-based tools flag anomalous sender behavior, quarantine messages with mismatched domains, and detonate attachments in a sandbox before delivery reaches the inbox.
Financial process controls. Require dual approval and out-of-band confirmation for every wire transfer, vendor banking change, and payroll update. The policy applies regardless of how legitimate or urgent the email request appears.
Audit your public exposure. Review what employee names, titles, reporting relationships, and contact details are publicly visible on LinkedIn and your company website. Attackers use all of it to build convincing pretexts before sending a single message.
Chicago-area businesses can have these controls implemented and monitored as a unified stack through comprehensive cybersecurity protection, without managing a collection of individual tools with an already-stretched internal team.
What to Do if a Spear Phishing Attack Hits Your Business
Speed determines the scope of the damage. Every minute of undetected access extends the attacker’s reach into systems, accounts, and connected contacts.
Isolate immediately. Disconnect the affected device from the network. If the attacker compromised an email account, revoke active sessions and force a credential reset before they pivot laterally to other mailboxes or connected systems.
Assess scope. Check for email forwarding rules and delegated access permissions the attacker may have added to maintain persistence. Determine what files, contacts, and downstream accounts were reachable from the compromised account.
Notify stakeholders. Loop in your IT team or managed service provider. If the attacker accessed regulated data, specifically PHI, PII, or payment card data, evaluate breach notification obligations under HIPAA, applicable state law, or PCI DSS.
Restore from backup. If the phishing attack delivered ransomware as its payload, tested and recoverable backups are often the only path to full recovery without paying a ransom. Data backup and recovery services belong in your prevention stack for exactly this reason, not just your incident plan.
Report to the FBI IC3. File a complaint at ic3.gov even if losses are uncertain or the attack was caught early. Early reports in wire-fraud cases sometimes enable asset recovery, and all reports help investigators track campaign patterns across organizations.
The step-by-step phishing incident response guide walks through each action in sequence, covering the full first 24 hours after any phishing click.
When spear phishing defenses are working, attacks are intercepted before they succeed. Employees know exactly what to report and to whom. Finance teams operate with process guardrails that make wire fraud and payroll redirect nearly impossible to execute through email alone.
LeadingIT works with SMBs across the Chicagoland area to implement and monitor the full stack of controls covered here. That includes email security, security awareness training, endpoint protection, and 24/7 monitoring, without the overhead of an in-house security team.
When spear phishing becomes a managed risk rather than a recurring crisis, your team can focus on the work that actually moves the business forward. Contact our Chicagoland IT support team or call 815-788-6041 to schedule a free assessment.
