Spear-Phishing​ ​

Spear-phishing is one of the highest targeted forms of phishing attacks in the cyberattack landscape.

Previously, we’ve shown other forms of phishing in previous articles, and most of them have in common the fact they have a mass approach, sending the same email to thousands of targets, for example.

However, Spear-Phishing has a more sophisticated and researched method, as we’ll see in this article.

What is Spear-Phishing

It’s 9 am. Michael is the Sales Regional Manager for a systems integrator. He takes his coffee cup and goes to his desk at his home office to start the workday. Then, Michael fires up Outlook and sees Ian Downes (CEO) has a message for him. Ian wants Michael to see new guidelines for home office workers, so he sent a document.

Michel opens the GDocs file with the company’s letterhead, a few recommendations on remote work, and a link to fill an internal survey on the subject, claiming it’s mandatory. He clicks on the link, which asks for his GSuite credentials to access the survey. 

He just gave his credential information to an attacker, who now has access to all his files, those private and shared with him.

That’s the perfect Spear-Phishing scam: a common type of cyberattack where criminals adopt a targeted approach to tricking an individual into disclosing sensitive information or undertaking actions such as initiating wire transfers. 

Spear-phishing is a highly targeted approach because the perpetrator would use highly personalized information about the target to convince them it’s a legitimate message.

Phishing vs. Spear-Phishing

As we saw in the example above, Spear-Phishing involves dedicated research on the target company and users, including names, visual details, corporate language, hierarchy, etc.

Customization is the most significant difference between this attack and common phishing scams. In the latter, attackers cast a wide net with generic email and page templates, hoping to succeed in the volume itself. Instead, the approach is surgical, detailed, and crafted to impersonate real people inside a company on Spear-Phishing successfully. 

While both can generate the same losses for any organization, Spear-Phishing affects critical people in organizations, in departments such as financial, HR, and others that hold sensitive information. 

How Serious is Spear-Phishing?

Just to give you an idea about the seriousness of these attacks, Data Room company Firmex found that this is the most successful form of attack that results in data exposure and accounts for 91% of all attacks. 

Bear in mind these data come from a pre-pandemic world, without the added component of remote work. In our scenario with Michael, he was not at the office, where he could feel something is wrong by just talking to a colleague: “hey, they sent another survey; what a bore, huh?”. Being physically distant from the office allows it to be even more successful. 

Types of Spear-Phishing Attacks

Whaling is the most famous form of spear-phishing. Since it has a more crafted approach, attackers must carefully select targets to maximize returns. So, whaling – with its “high-value target” philosophy, is commonly used.

Some experts talk about CEO fraud, which is itself inside whaling since it has the same mechanics. Still, it’s worth mentioning because it focuses on attacks based on impersonating a high-level executive.

How to Avoid Spear-Phishing?

A recent survey from GreatHorn points out that users fail to identify nearly half of phishing attacks. It happens because employees lack cybersecurity awareness and because cybercriminals do their job, creating highly customized emails that resemble real ones. So, it’s essential to highlight the roles of organizations and users to avoid the consequences of these attacks.

Company perspective

Phishing Simulations

Campaigns targeted to test users’ awareness help influencing behavior without risks. Creating messages that look legitimate from real people inside the company and adding to your simulations helps improves organizational defense.

Strengthen Communications

Every corporate email should work alongside other forms of communication, from bulletin boards to internal messagers’ chats.

User perspective


100% of all Spear-Phishing attacks use external accounts to emulate the company’s domain closely. Say your company’s URL is yourcompany.com. A scammer would send a message from john@your_company.com. By tweaking the address just a little, less vigilant users can fall for this attack.


Is this email, in particular, a common way for your company to communicate such matters? Is the language a bit different from other messages? Is there something “off” with this message? In case of doubts, stop and check or report.

The "Funnel Effect"

From the email, you’re prompted to visit a page and then put your credentials. A Spear-Phishing attack exists because criminals are outside of your network. If you already logged in and an email takes you to several steps to make you log in again, something is off.

Build cyber culture and learn how to avoid Spear-Phishing and other cyberattacks today!