Spear phishing

Targeted phishing aimed at a specific person or organization, often using personal information gathered beforehand.

Where regular phishing is broadcast — "hi, dear customer" sent to millions — spear phishing is precision. The attacker researches the target (LinkedIn, company website, public filings, social media) and crafts a message that references real coworkers, real projects, or real recent events.

Spear phishing is the playbook behind almost every major corporate breach. APT groups (Lazarus, FIN7, APT29) prefer it because the click-through rate is dramatically higher.

The technical defense is the same — verify URLs, check sender authentication, scan attachments — but the human defense matters more here: explicit out-of-band verification of any unusual request, especially anything financial.

Example

An email "from the CEO" to the finance team referencing a specific upcoming acquisition, asking for a wire transfer to close the deal.

Related terms

Phishing

Fraudulent attempt to steal credentials or money by impersonating a trusted entity, usually via email or a fake website.

Business Email Compromise (BEC)

Targeted phishing aimed at corporate finance teams to redirect wire transfers or invoice payments.

Got a URL you're unsure about?

Paste it into our free scanner — verdict in seconds, 10+ threat-intel sources.

Scan a URL →