What is spear phishing? How it works and how to prevent it

What is spear phishing?

Spear phishing is a form of targeted cyber attack in which specific individuals or organisations are sent fraudulent emails that purport to be from trusted senders.

These malicious communications aim to induce recipients to download malware, transfer money or part with sensitive or confidential information – whether directly or indirectly – and often increase their plausibility by using personal information that has either been compromised in other attacks or is publicly available.

Spear phishing vs phishing

All phishing emails purport to be from legitimate senders, but instead they contain malicious attachments or link to sites that either use drive-by downloads to install malware onto victims’ machines or harvest their credentials.

However, whereas the majority of phishing emails are haphazard in approach, sent at random to large databases of contacts and relying on the sheer weight of numbers for success, spear-phishing emails are much more focused and are sent to particular recipients.

As the name suggests, phishing casts a wide net, hoping to gather a number of smaller victims. Spear phishing, however, targets specific victims – whether individuals or particular organisations.

Although this effort means that there are relatively fewer spear-phishing emails to contend with than ordinary phishing emails, spear phishing is on the rise: Proofpoint’s Understanding Email Fraud survey found that 75% of organisations had been targeted at least once by email fraud in the past two years.

This is because spear-phishing emails tend to have a greater chance of success as they are personalised with detailed messaging specific to the target.

How does spear phishing work?

Corporate websites and the likes of LinkedIn, Facebook and Twitter reveal a trove of employee information that provides great value to attackers. Some of the simplest spear-phishing attacks involve malicious actors looking up the names of organisations’ CEOs or other executives and sending messages purporting to be from them to every account on the corporate domain. By creating a sense of urgency and replicating executives’ often brusque manner of expressing themselves, they can often gain what they want relatively easily, simply by knowing a couple of names.

Examples of spear-phishing attacks

Spear phishing has been instrumental in many high-profile attacks in recent years:

  • Google and Facebook were defrauded of $100 million by Lithuanian Evaldas Rimasauskas between 2013 and 2015. According to court documents, Rimasauskas registered a company in Latvia with the same name as an Asian computer hardware manufacturer, opening various bank accounts in its name in Latvia and Cyprus. He then sent spear-phishing emails to employees at two unnamed US-based Internet organisations – later revealed to be Google and Facebook – to induce them to wire him a total of $100 million, which he immediately transferred to accounts in various locations throughout the world, including Latvia, Cyprus, Slovakia, Lithuania, Hungary and Hong Kong.
  • Yahoo’s 2014 data breach, which saw half a billion records compromised, used spear phishing to gain access to an employee’s account. According to a Department of Justice announcement, “two Russian FSB officers hired criminal hackers to collect information through computer intrusions in the United States and abroad, which resulted in the unauthorized access of Yahoo’s network and the spear phishing of webmail accounts at other service providers between January 2014 and December 2016”.

How to prevent spear phishing

Learn more about the various types of phishing attack with our blog post What is phishing and how can you avoid becoming a victim >>


For more pointers on how to avoid phishing attacks, take a look at our phishing infographic >>

Staff awareness courses

Although spear phishing requires greater effort from its perpetrators, it remains much easier for them to induce victims to give them access than it is to find and exploit a software or network vulnerability to gain a foothold in a target system.

Regular staff awareness training that breaks users’ unconscious habits and increases their vigilance will reduce your organisation’s risk of falling for all types of phishing attack, including spear phishing:

  • Phishing Staff Awareness E-learning Course

This course helps your staff identify and understand phishing scams, explains what could happen if they fall victim and describes how to mitigate the threat of an attack.

Find out more about our Phishing Staff Awareness E-learning Course >>

  • Phishing and Ransomware Human Patch E-learning Course

This ten-minute interactive e-learning course introduces phishing and ransomware to employees and explains what they need to be aware of to avoid falling victim.

Find out more about our Phishing and Ransomware Human Patch E-learning Course >>


  • Neil Ford

    Neil is IT Governance's copywriter. Punctilious about punctuation and scrupulous about syntax, he is nevertheless painfully aware of Muphry's Law. He writes about all IT governance subjects.