Spear phishing is a highly personalised form of phishing attack. Unlike generic phishing emails sent to thousands of recipients, spear phishing targets specific individuals or small groups within an organisation. The attacker researches their victim beforehand, often using social media, company websites, or previous data breaches to gather personal details that make the fraudulent message appear legitimate.
The attacker might impersonate a company executive, IT department, financial institution, or trusted colleague. They craft messages that reference specific projects, use accurate names and job titles, or mention recent company events to build credibility. Common spear phishing tactics include:
- Requesting urgent password resets or verification of account details
- Directing victims to fake login pages that steal credentials
- Asking employees to approve invoices or transfer funds
- Distributing malware attachments disguised as legitimate files
Spear phishing is more effective than broad phishing because the personalisation makes recipients less suspicious. A message that mentions your manager by name and references a project you're actually working on feels genuinely credible, even if it contains malicious links or attachments.
To protect yourself, treat unexpected requests for sensitive information with caution, even from seemingly trusted sources. Verify requests through a separate communication channel before taking action. Check sender email addresses carefully, as attackers often use domains that look similar to legitimate ones. Enable multi-factor authentication wherever possible, so stolen passwords alone cannot compromise your accounts. Most importantly, never download attachments or click links from unsolicited emails without independently confirming the sender's identity.