What Is Spear Phishing?

Spear phishing is a cybercrime that uses emails to carry out targeted attacks against individuals and businesses. Criminals use savvy tactics to collect personal data about their targets and then send emails that are familiar and trustworthy.

These emails often have attachments that contain malicious links to malware, ransomware or spyware. Additionally, the email will blatantly ask the recipient to urgently respond, for example transfer a specific sum of money or to send personal data such as a banking password.

Because the emails are written in a highly familiar tone and refer to personal information about the recipient, victims mistakenly believe they know and trust the sender and respond to the request.

Both individuals and businesses are targeted by spear phishing:

Individual Spear Phishing Attack

Cybercriminals pretend to be a business the individual trusts, for example their bank or a reputable online site such as Amazon. The email could be crafted as a transaction confirmation or shipping notice. The goal is to get the individual to open the email and click a malicious link or to send confidential information that can then be used to commit further cybercrimes.

Business Spear Phishing Attack

Cybercriminals typically target two or three employees within a company. Often the email appears to come from the targeted individuals’ manager and directs them to transfer money, provide passwords, or other confidential company information. The tone of the email is urgent, tricking the victims into thinking that if they don’t act, the company will be in jeopardy.

Did You Know

Spear phishing is a type of social engineering that criminals use to infect computers, infiltrate company networks and steal data.

What Is The Difference Between Spear Phishing And Phishing?

The difference between spear phishing and phishing is the approach used. Spear phishing is a targeted and personalized type of phishing.

Phishing emails use a broad strokes approach, sent as a bulk email with the hopes of tricking at least one person into giving up confidential information. These phishing emails are typically not as well-written as spear phishing emails and do not include personal information.

The nature of bulk phishing emails makes it easier for recipients to avoid being tricked. However, many individuals are prone to clicking email attachments and not thoroughly verifying the sender’s email address before responding.

Cyber security awareness training and phishing simulation is key in reinforcing the importance of being cyber aware when it comes to emails and the inbox.

How Does Spear Phishing Happen?

Spear phishing happens when an innocent victim responds to a fraudulent email request demanding action. This action can include providing passwords, credit card details, clicking links to confirm shipping information or to transfer money.

These spear phishing emails seem believable because the cybercriminal has collected key personal information about the recipient. This information is used in the email to trick the recipient into believing the email is legitimate.

Often these emails appear to come from the recipient’s manager, colleague, friend, family member, bank, or a popular online store. Using a tone and voice that expresses urgency, the recipient is compelled to take action immediately to prevent large losses, a legal charge or a shutdown of an account.

Many people are embarrassed to admit when they’ve been tricked by a spear phishing email, believing they should have known better.

It is crucial that everyone receives security awareness training that emphasizes how easy it is to be tricked into giving up confidential information by savvy cybercriminals.

The following examples of spear phishing underscore how easy it is for anyone to be a victim of spear phishing.

It’s important to remember that spear phishing attacks rely on the human element – people are busy, trustworthy, and blindly click links without thinking twice.

Phishing simulation allows you to identify which employees are prone to spear phishing and phishing attacks and to demonstrate how easy it is for spear phishing to happen.

How Common is Spear Phishing?

Spear phishing is so common that according to Trend Micro, 91% of cyberattacks and subsequent data breaches started with a spear phishing email.

Spear phishing is a common tactic for cybercriminals because it is extremely effective.

Using information freely available on social media and company websites, criminals can gather enough information to send personalized trustworthy emails to victims.

Social engineering is a savvy way to trick people into giving up access, details and information that they know they should keep secure and private. Both social engineering and spear phishing rely on the natural human tendency to trust others.

People assume the request from their manager for an urgent money transfer or the password update request from their bank is legitimate because they recognize the source and believe they are acting in the best interests of themselves and others.

7 Ways To Prevent Spear Phishing


Educate your employees about spear phishing. Take advantage of free phishing simulation tools to educate and identify spear phishing risk.


Use proven security awareness training and phishing simulation platforms to keep spear phishing and social engineering risks top-of-mind for employees. Create internal cyber security heroes who are committed to keeping your organization cyber secure.


Remind your security leaders and cyber security heroes to regularly monitor employee spear phishing awareness with phishing simulation tools. Take advantage of phishing microlearning modules to change behavior, educate and train.


Provide ongoing communication and campaigns about cyber security, spear phishing and social engineering. This includes establishing strong password policies and reminding employees about the risks that can come in the format of attachments, emails and URLs.


Establish network access rules that limit the use of personal devices and the sharing of information outside of your corporate network.


Ensure that all applications, internal software, network tools and operating systems are up-to-date and secure. Install malware protection and anti-spam software.


Incorporate cyber security awareness campaigns, education, project management, support and training into your corporate culture.

What Is A Spear Phishing Simulation?

Spear phishing simulation is the best way to raise awareness of spear phishing risks and to identify which employees are at risk for spear phishing and phishing.

Spear phishing simulations allow you to easily incorporate cyber security awareness training into your organization in an interactive and informative format.

People see first-hand how personalized trustworthy emails are used to steal personal and corporate information. Real-time spear phishing simulations are an accessible way for any organization to educate people and increase alertness levels to spear phishing attacks and techniques.

Top 10 Benefits Of Spear Phishing Simulations?

1. Measure the degrees of corporate and employee vulnerability

2. Eliminate the cyber threat risk level

3. Increase user alertness to spear phishing risk

4. Instill a cyber security culture and create cyber security heroes

5. Change behavior to eliminate the automatic trust response

6. Deploy targeted anti-phishing solutions

7. Protect valuable corporate and personal data

8. Meet industry compliance obligations

9. Assess the impacts of cyber security awareness training

10. Segment spear phishing simulation

To learn more about spear phishing and how you can keep your organization cyber secure, take advantage of some really great free security awareness training resources:

Contact us at 1-866-889-5806 or at [email protected] to learn more about protecting your organization from spear phishing.

Terranova Security is committed to delivering people-centric training that makes your organization cyber security aware.