What Is Spear Phishing and How to Protect Yourself

Spear Phishing: Targeted, Personal, and Highly Effective

Standard phishing casts a wide net — the same generic email sent to millions of addresses, hoping a percentage will respond. Spear phishing is the opposite: a carefully crafted, highly personalized attack targeting a specific individual or organization.

The name comes from the difference between fishing with a net (standard phishing) versus using a spear to target a specific fish (spear phishing). The precision makes these attacks significantly more effective — and significantly more dangerous.

What Makes Spear Phishing Different

A generic phishing email might say: "Dear Customer, your account has been suspended. Click here to verify."

A spear phishing email might say: "Hi [Your Name], I noticed your order #[actual order number] from [actual retailer you use] had a delivery issue. The carrier needs you to confirm your updated address at [fake link]."

The key differences:
- Uses your real name, not a generic greeting
- References real events, relationships, or transactions in your life
- Comes from an address that appears to be a known contact or trusted organization
- Contains specific details that make it immediately plausible

The attacker invested time in research before sending. The result is an email that triggers none of the usual red flags for someone who is not specifically looking.

Where Spear Phishing Research Comes From

LinkedIn:
Professional profiles provide job titles, employers, colleagues, reporting relationships, recent projects, and professional history. This is goldmine information for crafting workplace-context spear phishing.

Social Media:
Facebook, Instagram, and Twitter/X reveal personal relationships, travel plans, purchases, events attended, and other details that can make a phishing email appear to come from someone you know.

Data Breaches:
Previous breaches reveal which services you use, what email addresses you have, and sometimes additional personal details. This information enables highly targeted attacks impersonating those specific services.

Public Records:
Property records, court filings, business registrations, and other public documents add professional and financial context.

Company Websites and Press Releases:
For corporate targets, organizational structure, key personnel, vendor relationships, and recent business activities are often publicly disclosed.

Common Spear Phishing Scenarios

Executive Impersonation (BEC):
An email appearing to come from the CEO requests an urgent wire transfer or sensitive document. The attacker knows the CEO's name, the CFO's name, and perhaps references a real project or vendor relationship.

IT Impersonation:
An email appearing to come from IT support requests that you reset your password through a provided link or install an "urgent security update." The attacker may know your actual IT team members' names.

Vendor Impersonation:
An email appearing to come from a vendor you actually work with requests updated payment details, contract review, or login to a portal. The attacker knows the vendor relationship exists because it appeared somewhere publicly.

Friend or Family Impersonation:
A message appearing to come from a personal contact asks for urgent financial help or shares a link to something relevant to your relationship.

Security Researcher Targeting:
Researchers, journalists, and activists who have publicly disclosed work are targeted with emails related to their specific research area — making the relevance immediately plausible.

Defending Against Spear Phishing

Verify Through Independent Channels:
For any unusual request — financial, access-related, or sensitive — verify through a separately initiated communication. Call the person on a number you already have. Do not use contact information provided in the email.

Be Suspicious of Urgency:
Spear phishing consistently uses urgency to prevent verification. The more urgent the request, the more important it is to slow down and verify.

Check Links Carefully Before Clicking:
Even personalized emails can contain malicious links. Hover over any link to see the actual URL before clicking. Look for domain discrepancies.

Use Email Authentication Signals:
Check the actual sender address, not just the display name. Examine the Authentication-Results in the original email headers for suspicious senders.

Reduce Your Publicly Available Information:
Less information available for research means less convincing personalization is possible.

Limit LinkedIn Profile Visibility:
Restrict who can see your full profile, connection list, and recent activity. This makes targeted attacks based on LinkedIn research less detailed.

Use Temp90 for Registrations to Reduce Target Information:
When attackers research you, part of what they find is a list of services you use — gathered from breach databases and data broker records. Using Temp90 for non-essential registrations keeps your real email out of these databases, reducing the list of services that can be used as phishing pretexts.

Multi-Factor Authentication:
Even if spear phishing captures your password, strong 2FA (hardware key or authenticator app) prevents account access with the password alone.

FAQ:

Q: How do I know if I am a likely spear phishing target?
A: Anyone with publicly visible information and access to valuable systems, accounts, or funds is a potential target. Executives, financial officers, system administrators, researchers, journalists, and individuals with significant financial assets are particularly attractive targets.

Q: Is spear phishing only a corporate threat?
A: No. While corporate targets are prominent, individuals are targeted for personal financial accounts, cryptocurrency holdings, and social media accounts. The research tools available to attackers make individual targeting practical.

Q: Can email security tools detect spear phishing?
A: Sophisticated email security gateways can detect some spear phishing through sender reputation, domain analysis, and content analysis. But truly well-crafted spear phishing, particularly using compromised accounts, is difficult to detect automatically. Human vigilance remains essential.

Conclusion:

Spear phishing is the most sophisticated and effective form of email-based attack. Its effectiveness comes from personalization that makes standard "spot the generic email" defenses insufficient. The core defenses — verification through independent channels, careful link inspection, authentication signal checking, and information minimization — address the specific characteristics that make spear phishing dangerous. The habit of using Temp90 for registrations reduces the attack surface by limiting the service-use information available to attackers for crafting convincing pretexts.