Skip to Content

Cybersecurity Knowledge Base

CyberPedia


Your essential guide to cybersecurity threats, attacks, and defenses. Understand the risks. Protect your business.

Spearphishing

Overview

Spearphishing is a highly targeted form of phishing where scammers craft messages aimed at specific people or small groups, using personal or business details to make the message look real. Unlike broad “Dear customer” spam, spearphishing feels like it was written just for you, which makes it much more convincing and dangerous.

In plain terms: spearphishing is a customized scam email, text, or message that uses what the attacker knows about you to trick you into doing something harmful.

What Spearphishing Looks Like

Spearphishing messages typically:

  • Use real names, roles, and context

    • They may mention your boss, your team, current projects, or real vendors.

  • Appear to come from people you trust

    • A manager, coworker, HR, IT, a known supplier, or a partner organization.

  • Refer to current events

    • Recent meetings, company announcements, or industry news.

  • Ask you to take a specific action

    • Click a link, open an attachment, approve a payment, share a document, or log in to a system.

Examples:

  • An email that looks like it’s from your CFO asking you by name to urgently pay an invoice to a new account.

  • A message that appears to be from IT, referencing your actual department, asking you to “verify” your password via a link.

  • A “shared file” notification that uses your real project name and teammates’ names but points to a fake login page.

How Spearphishing Works (Typical Steps)

Attackers usually follow a pattern:

  1. Research (reconnaissance)

    • They gather information from LinkedIn, company websites, social media, news articles, and past breaches.

    • They learn who works where, who reports to whom, what tools you use, and what’s going on in the organization.

  2. Target selection

    • They pick people who have what they want: finance staff, executives, IT admins, HR, or anyone with access to sensitive systems or data.

  3. Crafting the message

    • They write a tailored email or message using the details they’ve collected so it sounds authentic and relevant.

    • They may copy real email signatures, logos, and writing styles.

  4. Delivery and action

    • The message is sent, often from a spoofed address (or a look‑alike domain) or from a compromised real account.

    • The target is urged to click, open, reply, or approve quickly.

  5. Exploitation

    • If the target complies, attackers may:

      • Steal login credentials from a fake login page.

      • Install malware from an attachment.

      • Get a payment or sensitive data directly.

      • Use the compromised account to spearphish others.

What Attackers Want

Spearphishing is often used for:

  • Account takeover

    • Stealing usernames, passwords, and multi‑factor codes for email, VPN, finance, or admin systems.

  • Business Email Compromise (BEC)

    • Fooling staff into making fraudulent payments or changing bank account details.

  • Data theft

    • Grabbing customer lists, employee records, confidential documents, or trade secrets.

  • Malware deployment

    • Getting someone to open a malicious attachment that installs ransomware or remote‑access tools.

Why Spearphishing Is So Effective

Spearphishing works because:

  • It feels personal and relevant, not like random spam.

  • Attackers use real names, context, and tone, lowering suspicion.

  • Messages often create urgency, authority, or fear (“the CEO needs this now,” “audit deadline,” “security issue”).

  • Busy people skim emails and may not notice small warning signs, especially on phones.

Red Flags to Watch For

Be extra cautious if you see any of the following in a “personalized” message:

  • A request to do something unusual or outside normal process (especially payments or sharing sensitive data).

  • A sense of urgency (“do this within the hour,” “don’t tell anyone,” “I’m boarding a plane so just handle it”).

  • A sender address that looks slightly off (extra letters, wrong domain, look‑alike domain such as compaNY-secure.com instead of company.com).

  • Links that don’t quite match the supposed service (hover to check on a computer).

  • Attachments you weren’t expecting, especially if they’re labeled as invoices, HR docs, or urgent reports.

  • Tone or wording that is “almost right” but slightly unusual for that person.

Business Impact

A successful spearphishing attack can lead to:

  • Fraudulent wire transfers or invoice payments.

  • Compromised email and cloud accounts used to attack others.

  • Data breaches of customer, employee, or company confidential information.

  • Ransomware or other malware incidents.

  • Regulatory, legal, and reputational damage.

Key Prevention Tips (Plain‑Language)

For individuals and staff:

  1. Slow down on unusual requests—even if they look personal

    • If a message asks you to bypass normal steps (especially for money or access), treat that as suspicious, not as a favor.

  2. Verify through a separate channel

    • Call the person on a known number, or message them via a known internal tool, rather than replying to the same email or clicking its links.

  3. Check the sender carefully

    • Look at the full email address, not just the display name.

    • On a computer, hover over links to see where they really go.

  4. Be cautious with attachments and “shared files”

    • If you weren’t expecting it, confirm with the sender before opening, especially for Office documents, ZIPs, or PDFs that ask you to “enable content” or macros.

  5. Use and respect MFA

    • Even if a password is stolen, multi‑factor authentication can block many account takeovers—but never share codes or approve login prompts you didn’t initiate.

  6. Report suspicious messages

    • Use your company’s “report phishing” button or forward to security/IT so they can warn others and block similar attempts.

What Organizations Should Do

To reduce spearphishing risk, businesses should:

  • Provide regular, realistic security awareness training with examples of targeted messages.

  • Enforce technical controls: email filtering, URL protection, attachment sandboxing, and strong SPF/DKIM/DMARC on their domains.

  • Require strong authentication (MFA) on email, remote access, and critical apps.

  • Implement payment and access controls (for example, call‑back verification for bank changes and dual approvals for large transfers).

  • Monitor for unusual login and email‑sending patterns (impossible travel, many messages to unusual recipients, etc.).