What Is Spear Phishing: How Does It Work?

Spear phishing is a communication scam that happens through email or electronic devices. Spear phishing can target different levels of entities such as a person, organization, or business. The goal of spear phishing is to obtain confidential data by emailing fraudulent links from a trusted source. According to Phishlabs, “More than 80% of people in 2018 received phishing attacks, and almost 1.5 million phishing websites appear on the internet every month.” Because spear phishing is so common, it is one of the main three cybersecurity concerns.

What is the Definition of Spear Phishing?

Spear phishing is the fraudulent practice of sending an email to a target whose information cybercriminals want to obtain. The sender of a spear phishing email is a trusted source, such as Amazon, Netflix, or even an antivirus provider. The term spear phishing emerged in the early 21st century, and is derived from two words: spear (an instrument used to catch fish) and phishing (attempting to obtain confidential information). The term phishing was coined around 1996 by hackers that were stealing American login information.

Spear Phishing Definition

How Does Spear Phishing Work?

Spear phishing works through various platforms, but predominantly via email and social networks. Criminals that spear phish are targeting either an individual or an organization. They do extensive research beforehand to obtain important information about a person, such as their name and email, place of employment, and the role, as well as job title.

 A spear-phishing attack may include the following steps:

An image featuring spear phishing concept

  • Identifying email addresses (by sending emails to as many people in the organization as possible or by using a more targeted approach where emails are sent only to the person that has access to the data that they want)
  • Evading the antivirus so that the email can reach the targeted person
  • Using a payload that will exit the organization after acquiring data. The payload used is usually ‘reverse_https’ because it’s hard to detect by antivirus software
  • Finding crucial information about the target (allowing criminals to create clickbait
  • Sending personalized emails from trusted sources, either through the temporary mail server or using GoDaddy’s valid domain name
  • Placing a keylogger on the device to obtain information


Recent technological advances have made spear phishing easier. Potential targets are present on numerous social networks meaning experienced hackers can easily gain access to social media accounts and sometimes email and banking accounts also. Now with more than 45% of cell phone owners having smartphones, the risk of cyberattacks is only increasing.

What are the Characteristics of Spear Phishing?

The characteristics of spear phishing are listed below:

  • Targeting a specific victim/organization/company
  • Messages address the victim personally, often from a familiar entity
  • The message contains and asks for personal information
  • The message is a call to quick, urgent action

What is a Typical Spear Phishing Attempt?

A typical spear phishing attempt generally consists of the following:

An image featuring spear phishing concept

  • A person gets an email or message on a social network with a link that they need to click on
  • When the target clicks on the link or attachment, they might also download ransomware or malware. The website that opens might ask for personal information
  • A cybercriminal might pose as someone that the target person is familiar with and request login information, PINs, and more

These techniques are preferred when the hacker has easy access to basic information about the target person. The less experience the person has, the easier it is to perform a phishing attack.

How Effective is Spear Phishing?

An image featuring spear phishing concept

Spear phishing emails have an effective open rate of 70%, out of which, 50% of people open the content within. There are a number of factors that contribute to their effectiveness. The biggest is that the attacker does a lot more research on the target before attacking. They will find out what the target’s interests are, what sites they often visit etc. This makes them a lot more likely to appear legitimate at first glance.

A user’s biggest asset against these attacks is checking the email address of the sender. If it isn’t a trusted address from the appropriate site- it’s most likely an attack. Spear phishing is very effective, and it’s often the first choice of cybercriminals that look for information. More than 90% of cyberattacks start with phishing emails. The effectiveness comes from the research of the target before an attack.

Who is the Target of a Spear Phishing Attack?

There are typical targets of spear phishing attacks:

An image featuring phishing target concept

People who put personal information on social networks, making it easy to personalize the phishing email

Employees and managers in medium sized tech companies

People in job positions where they have to read numerous emails daily, such as PR managers or office administrators

What Is a Spear Phishing Simulation?

A spear phishing simulation is a program that a company or organization uses that sends mass fake emails to employees to raise awareness of possible phishing attacks. The best spear phishing simulations will seem believable, which is hard to achieve with mass emails. With more than 90% of cyber attacks originating from emails, it’s imperative to train employees to lessen the risk of spear phishing attacks. Sending bulk emails with spear phishing simulators regularly will help employees increase their awareness of phishing attacks.

What are the Benefits Of Spear Phishing Simulations?

These are the top benefits of spear phishing simulations:

An image featuring spear phishing company concept

  • Measure the degree of corporate and employee vulnerability
  • Teach employees to recognize harmful, malicious emails
  • Protect the employees, organization, and company
  • Give employees the tools and knowledge to deal with a phishing attack
  • Show the risk and potential consequences of the attack

What is the History of Spear Phishing?

An image featuring spear phishing history concept

Phishing has been present online since the 90s, but the first spear-phishing attacks got recognized in 2010. In that period, phishing attacks lowered while spear phishing grew by 300% due to its effectiveness. After the attack at RSA in 2011, Spear Phishing made the news. Spear phishing emails were sent to four RSA employees, one of whom opened and downloaded the attached excel spreadsheet. With it, the employee also downloaded a trojan horse. The download, combined with a flaw in Adobe Flash, resulted in hackers stealing credentials and obtaining information on secure-ID customers such as Lockheed Martin and Northrop Grumman. In 2013, Kaspersky discovered a cyber-attack that was possible due to spear phishing. In the attack, victims got infected with Trojan horses. Credentials, classified research, as well as private information got stolen. Today, spear-phishing has evolved and can happen through SMS, social networks, and instant messengers.

What are the Examples of Spear Phishing?

These are examples of spear phishing:

An image featuring spear phishing examples concept

  • Ubiquiti Networks Inc: this attack happened in 2015 when the company HANDED OVER $40 million due to a phishing scam. The emails looked like they got sent by senior executives. They instructed employees to place funds in accounts belonging to criminals
  • Franklin, Massachusetts: in this case, the criminals used a phishing attack in which they persuaded a town employee to reveal the login information, which cost the city more than $500,000
  • Alcoa: the Chinese army was accused of several spear-phishing attacks that could have stolen trade secrets from various US companies. One of those attacks targeted Alcoa. A criminal contacted over a dozen senior Alcoa employees over an email and represented himself as a board member of Alcoa. When the employees opened emails, the malware got installed on their computers. The malware caused the theft of 3000 emails and over 800 attachments

What are the Statistics about Spear Phishing?

These are statistics relating to spear phishing:

An image featuring phishing statistics concept

  • The loss of one spear-phishing attack is an average of $1.6 million
  • 35% of organizations have experienced spear phishing
  • 65% of hackers use spear-phishing as the primary infection vector
  • 88% of organizations experienced spear phishing in 2019
  • Around 35% of spear-phishing attacks are aimed both at small companies ( up to 250 employees) and big corporations (more than 2500 employees)
  • 83% of spear-phishing attacks use brand impersonation techniques, 11% use blackmail, and 6% use business email compromise techniques
  • Over 80% of people in 2018 received phishing attacks
  • People open 70% of spear-phishing mail

Is Spear Phishing Illegal?

Yes. It is illegal to obtain private information from a person without their consent. An example of this is the Anti-phishing Act of 2005 in the United States. Furthermore, most countries will protect from phishing under their identity theft laws.

What Are the Laws Regarding Spear Phishing?

There aren’t any laws currently that are aimed specifically at phishing. The Anti-Phishing Act of 2004 and the Anti-Phishing Act of 2005 were proposed, but the bills didn’t pass the subcommittee. The following laws don’t mention spear phishing specifically but do address some of the threats:

An image featuring cyber law concept

  • CAN-SPAM: The Controlling the Assault of Non-Solicited Pornography and Marketing Act was passed in 2003
  • 18 U.S.C. Section 1028 is important in regards to identity thefts and similar fraudulent crimes
  • PCI-DSS (The Payment Card Industry Data Security Standard) and HIPAA (The Health Insurance Portability and Accountability Act) share an important requirement: they need to create, enact, and maintain security awareness programs that will teach employees how to recognize and avoid the threats

How to Protect Yourself from Spear Phishing?

To protect yourself from spear phishing, follow the instructions below:

An image featuring spear phishing detected concept

  • Limit failed login attempts
  • Always update your system to get the latest security patches
  • Encrypt sensitive information
  • Use multi-factor authentication wherever you can
  • Don’t use the same passwords for different accounts
  • Inspect e-mails and messages with URLs and attachments. Is everything natural? Is the email address correct?
  • If you feel suspicious about an email, call the sender to confirm the information
  • Don’t post personal information on social media

What to Do If You Become a Spear Phishing Victim?

An image featuring spear phishing victim concept

  1. Make a criminal complaint
  2. If you work in a company, contact the IT team immediately. They will scan the system for potential threats and malicious software
  3. If you enter private information, such as login information, go to the website and change the username and password as soon as possible. Turn on double authentication
  4. Back up all necessary files
  5. If you don’t work in a company, bring your computer to a professional to clean it

What is the Difference Between Phishing and Spear Phishing?

An image featuring phishing target concept

Both phishing and spear phishing are online attacks that have the goal of procuring confidential information. The main difference is that Phishing isn’t personalized. Phishing links are sent to large quantities of users with the hope that a small percentage of the total recipients will click on the link. Spear Phishing, however, is a personalized attack where the attacker will research the target victim and obtain personal information. The information will get used in emails to make them appear legitimate, leading the person to click on a link or download an attachment. Due to the level of customization, spear phishing is harder to identify than phishing.

Ilija Miljkovac Ilija is a tech & cybersecurity writer residing in Leeds, UK. His passion for everything tech started when he was a child and culminated in a computer science degree and 5 years of writing in the field.
Leave a Comment