Spear phishing

Unlike bulk phishing that sends generic lures to millions of addresses, spear phishing is tailored to a specific individual or organisation. Attackers research their target using LinkedIn, company websites, social media, and data from previous breaches to craft a convincing, personalised message.

A spear-phishing email might address you by name, reference your job title and employer, mention a real colleague, and relate to a plausible task such as approving an invoice or updating payroll details. Because the message contains accurate personal context, it bypasses the usual 'this feels generic' warning instinct.

Spear phishing is frequently the first step in large-scale corporate breaches, enabling attackers to steal credentials or plant malware that gives deeper network access. Business email compromise (BEC) attacks almost always begin with a successful spear-phish.