Spear Phishing 101:

What It Is and How to Prevent It

What Is Spear Phishing?
How Spear Phishing Works
How Spear Phishing Targets Are Chosen
4 Spear Phishing Examples
How to Identify a Spear Phishing Attempt
You Clicked on a Phishing Link: Now What?
How to Prevent Spear Phishing


What is spear phishing? Among the many types of phishing scams, spear phishing remains a popular attack vector. The FBI Internet Crime Complaint Center (IC3) received a record number of consumer complaints in 2021. 

Phishing, vishing, smishing, and pharming scams were prominent, receiving 323,972 complaints and adjusted losses of over $44 million. Unfortunately, employees tend to be the weak link in most businesses’ anti-phishing strategy.

In this article, we’ll break down everything you need to know about spear phishing: what spear phishing is, how spear phishing works, how scammers choose their targets, common methods of attack, and what steps you can take to protect your business.

What Is Spear Phishing?

Spear phishing is a scam in which cybercriminals send tailored emails to specific individuals within a company or organization. Spear phishers impersonate known or trusted entities to fool victims into providing sensitive information, sending money, or downloading dangerous malware.

Like other social engineering attacks, spear phishing exploits people’s tendencies to be helpful or respond to fear-inducing tactics.  

Spear phishing vs. phishing

Both phishing and spear phishing are cyber-attack methods that attempt to exfiltrate sensitive or confidential information online. However, whereas phishing attacks are general, spear phishing attacks are specific to select individuals.

For example, a scammer can send one generic phishing email to thousands of recipients at once, casting a wide net in trying to snag victims. However, spear phishing attempts are more calculated, targeting specific people using precise lures and knowledge of the victim’s personal information to establish trust.

Why is Spear Phishing So Effective?

Over time, phishing scams have evolved from laughably easy-to-spot “Nigerian prince” scams into well-researched and remarkably effective campaigns that are difficult to detect and stop.

Using social engineering techniques, scammers provide information that lends credibility to their emails. They use this leverage to create believability, hoping to convince an innocent victim to believe their scheme and cooperate.

Here are some common reasons why spear phishing works:

  • Emails from big brands that look legitimate.

    Experienced attackers are skilled at creating emails that look like they’re from trusted companies like Apple, Microsoft, or your bank. 

  • Emails from your employer that look legitimate.

    Who wouldn’t trust an email that came from your boss or the owner of the company you work for? 

  • Phishing emails use scare tactics.

    Some scammers use extortion to try and get people to send them money or sensitive data. Tactics include convincing you that they have compromising information, video footage, or web browsing data to compel you to act on their demands. 

  • Native security controls don’t block email attacks.

    Your business may be vulnerable to phishing attacks without tools to identify and contain email threats.

  • Lack of employee education.

    Without ongoing training on what to look for and report, you leave your employees vulnerable to sophisticated spear phishing schemes. 

Why Is Spear Phishing So Dangerous?

Once scammers convince their targets they are trustworthy, they may gain access to sensitive company data, banking or credit card information, and wire transfers. This can cause wide-ranging fraud and system security infiltration that can repeatedly happen over time.

Experienced spear phishers are remarkably effective in gaining footholds to begin advanced persistent threat (APT) campaigns that wreak long-term damage.

How Spear Phishing Works

There are several ways scammers can carry out spear phishing attacks. Common methods include:

  • A spear phisher sends an email to their target. That email may include malicious links or attachments they will ask the target to open, downloading malware or ransomware to their computer.

  • A scammer sends an email directing the target to a spoofed website that asks them to provide personal or confidential information such as PINs, account credentials, or access codes.

  • A spear phisher poses as a friend, co-worker, boss, or other trusted entity asking for access to social media accounts or usernames and passwords to glean information they will use to exfiltrate data elsewhere.

How Spear Phishing Targets Are Chosen

People that scammers choose as spear phishing targets may surprise you.

Scammers choose specific targets based on what information a person may have access to and what information they can gather about that person. 

  • Spear phishing targets are usually not high-level executives or decision-makers. On the contrary, spear phishing targets are explicitly chosen for their lack of knowledge or experience so that the scammer can easily manipulate them.

  • Lower-level or newer employees

    may not be aware of policies or procedures they must follow that may preclude a spear phishing attempt, making them easy victims.

  • Sometimes a spear phishing target is not the conventional “Very Important Person” but rather a “Very Attacked Person.” These people are chosen because they are likely to have access to sensitive and confidential information and get a large volume of emails daily. These targets include accounts payable teams, payroll teams, and HR employees.

4 Spear Phishing Examples

There are many different types of phishing scams. The most common techniques used in spear phishing include: 

  • CEO fraud scams 

  • Malicious attachments and ransomware attacks

  • Clone phishing attacks

  • Brand impersonation attacks

CEO Fraud Scams

Would you say no to an urgent request from your boss’s boss? Unfortunately, criminals often target key individuals in accounting and finance departments using CEO email fraud and Business Email Compromise (BEC) scams. Scammers impersonate CEOs and company officers, using their influence to trick employees into purchasing gift cards or wiring money to external accounts.

CEO Fraud ScamsSample of a CEO fraud email caught by Armorblox

Malicious Attachments and Ransomware Attacks

If you receive an email with suspicious attachments or links, don’t click them! An easy way to confirm link integrity is to hover over the link to display the link’s complete address. Even legitimate users can unknowingly pass on malicious links, so always check the source of a link or attachment to be safe.

Malicious Attachments and Ransomware AttacksSample of an email with a malicious attachment caught by Armorblox

Clone Phishing Attacks

In clone phishing attacks, the attacker creates an “update” of a legitimate email message, hoping to trick the recipient into thinking it’s real. Instead, the scammer inserts a malicious link or attachment into the email in place of the original one.

Clone Phishing Attack ExampleSample of a clone phishing email caught by Armorblox

Brand Impersonation Attacks

Attackers often impersonate trusted brands and service providers in emails replicating common email workflows we legitimately receive from these brands. Instead of genuine links, however, scammers insert links to spoofed login pages in these emails to steal victims’ account credentials. 

Examples of brand impersonation include signing services, video conferencing platforms, banks, shipping companies, and even video streaming services.

Brand Impersonation AttacksSample of a brand impersonation email caught by Armorblox

How to Identify a Spear Phishing Attempt

Use our SPEAR method to easily identify a spear phishing attempt quickly:

  1. S

    pot the sender

  2. P

    eruse the subject line

  3. E

    xamine links or attachments

  4. A

    ssess the content

  5. R

    equest confirmation

How to Spot a Spear Phishing Attempt

Spot the Sender

A commonly used tactic in spear phishing involves sending an email from a domain name that looks like a well-known business or organization — but isn’t. For example, lowercase letters “r” and “n” next to each other can look like the letter “m” at first glance (like “walrnart,” “arnazon,” or “bankofarnerica”).

If you don’t think you could be fooled by something so obvious, think again. Even the sharpest users are often fooled by this method, especially if they regularly get real emails from spoofed companies.

Peruse the Subject Line

Subject lines in spear phishing emails attempt to strike urgency or fear to prompt the recipient to act quickly. Using words like “Important,” “Urgent,” or “Account Past Due” are common red flags used to garner attention.

Creating a sense of familiarity or using language like “Request,” “Follow Up,” or “Fwd:” attempts to make the recipient feel that a relationship exists or a conversation has already occurred.

Many scammers employ long-term spear phishing strategies, building relationships that ultimately pay off in achieving their goals — and often bringing companies to their knees in the process.

Examine Links or Attachments

Spear phishing emails often include embedded malware in .zip files, .exe files, PDFs, Excel, and Word documents. Also, be on the lookout for forms that request sensitive information, even if they seem trustworthy at first glance. 

Attackers use free online services like Typeform and Google Forms to collect sensitive data while getting past email security filters.

Assess the Content

If you’ve ever received an email containing information about you from someone you purportedly know, remember that what seems like personal information can easily be found online.

Scammers can glean addresses and phone numbers, names of family members, and even pet names from public records and social media accounts.

Request Confirmation

If you’ve performed all the above checks, but something still doesn’t seem right, go with your gut. Rather than reply to a suspicious email and risk a spear phishing attack, send a new email to the address you have on file to confirm whether a request is legitimate. 

If you have the sender’s contact number, you could also call or text them to double-check your suspicions.

So, you accidentally clicked on a phishing link. What should you do next to minimize the damage? While steps may differ depending on the type of link you clicked, here are some general DOs and DON’Ts:

  • DON’T

    panic! Keeping a clear head will help you take the following steps without delay.

  • DO NOT

    enter any data. Avoid providing scammers with any information whatsoever.

  • DO

    delete the email and disconnect from the internet. Deleting the message and going offline reduces the risk of the malware spreading to other network devices.

  • DO

    perform a full scan of your machine using antivirus software to help stop malicious software from spreading.

  • DO

    change your passwords immediately. You should assume that your login and passwords have been compromised. Change passwords on a different device if possible.

  • DO NOT

    hesitate to alert your IT security team. Your IT department will handle it from there, including reporting the attack to the appropriate authorities.

How to Prevent Spear Phishing

The best offense is a good defense. So while you may not avoid all cybersecurity incidents, having an airtight security plan is an excellent place to start.

5 Ways to Prevent Spear Phishing

  1. Provide Security Awareness Training

Knowledge is power — but only if you use it correctly. Training employees on security measures isn’t a one-and-done proposition. With the sophistication and constant evolution of cybersecurity threats, it’s imperative that employee awareness training is an ongoing process.

Consider adding cybersecurity information to onboarding procedures and new employee reference materials. In addition, administer regular refresher training for all employees — including management — to keep your sensitive data and systems safe.

  1. Use Multi-Factor Authentication (MFA)

Multi-factor authentication (MFA) can significantly reduce the impact of spear phishing attacks. MFA requires users to provide two or more identity verification factors to access protected resources, decreasing the likelihood of spear phishing success.

Even if a password is compromised, it’s useless without additional authentication steps. However, it’s also important not to reuse the same password across multiple accounts, which we’ll expand upon in the next section.

  1. Implement Strict Password Management Policies

A recent survey showed that 75%  of respondents changed their passwords after a security breach. Having loose (or non-existent) password management policies puts your business at risk. Here are some password policy best practices to consider:

  • Use password management software, such as LastPass

  • Prohibit password sharing

  • Create password complexity and minimum length standards

  • Require unique passwords or use a password generator

  • Set a maximum password age for regular password replacement

  1. Maintain Regular Backups and Security Patches

We cannot overstate the importance of running regular backups and installing security patches. Recovering your data after a breach is impossible if there are no data backups to restore. 

Patch management keeps your software up to date, providing additional security measures as they become available from software manufacturers.

  1. Install Email Security Software

Spear phishing will continue to increase in sophistication and volume for the foreseeable future. So make sure you’re practicing anti-phishing strategies to protect your company — and your employees — from data breaches, identity theft, and corporate espionage now.

Investing in trusted email security software is your best bet in thwarting spear phishing attempts. Armorblox helps protect your human layer from compromise using sophisticated algorithms that detect and analyze thousands of signals across identity, behavior, and language. Armorblox identifies common attack signals over email and other cloud office applications and remediates threats before they cause harm.

To learn more about how to stop targeted email attacks like spear phishing, read our Office 365 focused whitepaper below: