Spear Phishing

Threats ⚠️ • Social Engineering 👥 • Sec+ Glossary 📖 • Security+ 02 • Difficulty: free

What is Spear Phishing?

Spear phishing is a targeted form of phishing in which an attacker crafts a message for a specific person, role, or organization in order to make the request appear more believable and increase the chance of success.

Examples

An attacker researches a finance employee and sends a fake invoice email that appears to come from a known supplier.
A threat actor impersonates a project manager and sends a targeted file-sharing link to one developer working on a sensitive system.

Discover 🔎

Many phishing attacks are broad and generic. They are sent to large numbers of people with the hope that someone will click, reply, or reveal credentials. Spear phishing is different. Instead of casting a wide net, the attacker chooses a particular target and shapes the message around that person’s role, relationships, or current work.

That extra focus makes spear phishing more dangerous. A message that mentions a real colleague, a real supplier, a real project, or a real business process feels more credible than a poorly written mass email. The attacker is no longer relying only on chance. They are relying on research.

Remember: Spear phishing is targeted phishing. The message is shaped for a particular victim or group so it feels more legitimate and relevant.

Summary 📝

Spear phishing is a targeted form of phishing that uses research and context to make deceptive messages more believable. By shaping the message around a specific victim’s role, contacts, or work, the attacker increases the chance of getting credentials, malware execution, financial approval, or access to sensitive information. It is especially dangerous because it fits naturally into ordinary business communication unless verification habits and technical controls are strong.

Open the interactive lesson Browse more topics

Tip: The interactive version includes progress tracking, decks, and premium deep dives.