What is a spear phishing attack?

Unlike generic phishing scams, spear phishing attacks are used to target the victim with personalized messages to steal money and confidential information or spread malware.

What is a spear phishing attack?

How do spear phishing attacks work?

Spear phishing attacks are a highly individualized online scam where criminals target a single person. The attack is often carried out with a spear phishing email customized with a specific target in mind.

Spear phishing scams are a great nuisance, especially for organizations and their employees. Just by deceiving a single person in a large company, the attackers can access the whole organization’s network and valuable information. Once inside, the attackers can steal sensitive information and passwords or spread malware throughout the network. Online criminals can use various social engineering techniques to improve their chances of succeeding.

Phishing vs. spear phishing emails

What sets spear phishing attacks apart from regular phishing is their emphasis on the quality of an attack over quantity. In other words, while more usual phishing attacks aim to target as many victims as possible, spear phishing is a laser-focused approach to scam an individual target. Like a fisherman who uses a spear to catch a single big fish, online criminals use spear phishing to catch a single valuable target. Meanwhile, regular phishing attacks are like casting one big net to haul in as many small fish as possible.

Because they are tailor-made for a specific target, spear phishing attacks are more difficult to identify than generic phishing emails and other scams with several targets. The likelihood of a spear phishing email fooling its victim is greater, because more work and background research goes into personalizing the message to its recipient. Meanwhile, online criminals can send generic phishing emails to anyone but with a smaller chance of succeeding. Generic phishing mail is more likely identified as a scam by a cautious reader.

Types of phishing attacks

Spear phishing is just one type of phishing. Here are some other examples of phishing attacks with their special characteristics.


A whaling attack is used to go after the big fish in a company: its CEO and other executives high up in the organization hierarchy. Because of its high-profile target, whaling attacks are also known as CEO fraud. A great deal of work goes into pulling off a whaling attack, but when the scam is successful, the attackers can do greater damage than using a more scattered approach. When successful, whaling attacks can lead to significant monetary loss and damage to a company’s reputation.


The term smishing is a combination of SMS and phishing. It involves using text messages and instant messaging services to approach the victim. One malicious feature of smishing messages is that they can be injected into a pre-existing message thread. In practice, the attacker can take over a message thread to sneak in harmful links and ask the victim to reveal confidential information.


Vishing, or voice phishing, is carried out via phone calls. Because their targets are less likely to pick up the phone if the caller is unknown, the attackers can use VoIP (Voice over Internet Protocol) technologies to fake their identity. The attacker can impersonate a legitimate authority, such as the victim’s bank or employer, to get them to reveal valuable information. For instance, the stolen information can be used for identity theft.

Clone phishing

This phishing scam is similar to spoofing as it involves duplicating a legitimate email to make it seem like the message is coming from a reliable sender. Clone phishing may also involve a fake website that looks reliable but is instead used to trick the target into inputting their login credentials or downloading malware. Although clone phishing emails and websites can be difficult to spot, they often contain grammatical errors or other suspicious signs that give them away.

How to prevent spear phishing attacks

Identifying spear phishing emails and scam sites is more difficult when the attack targets a specific individual. Once you are more familiar with spear phishers’ tricks, you are better prepared to spot them. Here are a few ways to stay safe against spear phishing messages and targeted attacks.

  • Double-check the sender’s identity. Spear phishing and spoofing messages may seem legitimate at first but often reveal various signs of fraud at a closer look. Typos and unusual characters in the sender’s email address are the first signs that everything is not right. The domain of the sender’s email address can also differ from a legitimate one with only a single character, for example, fsecure.com instead of f-secure.com.
  • Be careful of links and strange URLs. Always be cautious if a message contains links to a website. You can hover your mouse over a hyperlink to check where clicking it takes you. Even if the website seems valid at first, look for inconsistencies to ensure you are not being scammed.
  • Look out for unsolicited emails. Exercise caution if someone you do not know initiates a conversation with an email, especially if the message comes with attachment files and links. If the sender is someone you know, they are more likely to be who they claim to be.
  • Do not share confidential information. Do not share passwords, financial details or your social security number via email. If a seemingly legitimate authority, such as your bank or some governmental entity, asks for your information, call them back with the official phone number or, better yet, visit their local office.
  • Think before you act. There is often a sense of urgency in the attacker’s message to get you to act carelessly. If the sender is urging immediate action, take a moment to double-check that you are not being scammed.
  • Report spear phishing emails. If you receive a phishing message to your work email, report it to your employer’s IT support or cyber security specialist. The whole organization is likely the target of a spear phishing campaign. Reporting a scam prevents others from falling for a spear phishing attack.
  • Use online protection and antivirus software. Antivirus software stops malware from infecting your device if you fall for a spear phishing scam. A comprehensive online protection solution can also identify malicious links and fraudulent websites.
  • Activate two-factor authentication and use strong passwords. Successful spear phishing attacks can compromise your passwords. If you use the same password on multiple accounts, a single password is enough to access them all. Use unique and strong passwords for all accounts. Two and multi-factor authentication provide an additional layer of protection for your accounts.

Spot spear phishing scams and stay safe online

Spear phishers are not the only ones looking to steal sensitive information and infect your devices with malware. Choose comprehensive internet security to fend off malware, browse in private and protect your every digital moment on all devices. F‑Secure Total works on both mobile and desktop with a single subscription. The advanced antivirus stops malware, while Total’s VPN protects your privacy on the internet. With additional tools for identity protection and managing passwords, F‑Secure Total keeps your whole family safe online. Try Total for free now!

Read more and try for free