What is spear phishing and how is it different from regular phishing?
Spear phishing is a targeted attack using personalised information about the recipient — in contrast to mass phishing which sends the same generic message to millions.
Last reviewed: 10 June 2026
Explanation
Regular phishing is a numbers game. The attacker sends the same message to millions of addresses knowing that only a small fraction need to respond for the operation to be profitable. The messages are generic: 'Dear customer, your account has been suspended.' This approach generates volume but at the cost of credibility — anyone who does not use that particular bank or service immediately recognises the message as irrelevant.
Spear phishing inverts this model. The attacker researches a specific individual, gathering their name, employer, role, recent activity, colleagues' names, and any other publicly available information. The resulting message is highly personalised: 'Hi Sarah, I noticed you were at the industry conference last week — I wanted to follow up on the supplier contract we discussed.' The combination of correct personal detail, familiar context, and relevant subject matter makes the message very difficult to dismiss as fraud.
Businesses and high-value individuals are the primary targets of spear phishing because the effort of personalisation is only economically justified when the potential payoff is significant. An attack on an accounts payable manager with access to a company's payment systems is worth the research investment. Similarly, a senior executive at a company handling sensitive data, a lawyer with access to client funds, or an individual with significant personal wealth may be specifically profiled and targeted.
Social media is the primary research tool. LinkedIn provides role, employer, project, and colleague information. Facebook and Instagram provide personal interests, events attended, family connections, and life events. Combining these sources enables a scammer to construct a message that a real colleague or trusted contact might plausibly send.
Common red flags
- An email is correctly personalised with your name, role, and recent activity but comes from an unusual address
- A message references a shared event, project, or contact but asks for an action that seems out of context
- The sender's email is slightly different from a known contact — one letter changed or a different domain
- An attachment or link is explained by plausible recent context but was not expected
- The message requests urgent action on something financial or credential-related
What to do now
- Verify any unexpected email requesting credentials or financial action by calling the sender directly
- Inspect sender email addresses carefully — not just the display name
- Limit the personal and professional information visible on public social media profiles
- Report spear phishing attempts to your employer's IT security team and national cyber authority
- Use email filtering solutions that can detect spoofed sender domains
Frequently asked questions
Can spear phishing arrive by phone or text as well as email?
Yes. Voice spear phishing (vishing) and SMS spear phishing (smishing) both exist. A personalised phone call using correct details about a target's role or recent activity can be just as effective as an email, and more immediate.
What is whaling in the context of phishing?
Whaling refers to spear phishing specifically targeting senior executives. The term reflects the higher value of the target. These attacks are highly researched and may involve sophisticated impersonation of board members, major clients, or regulators.