Spear phishing vs. phishing.
A generic phish is a shotgun blast. A spear phish is sniper fire — tailored to you, your company, and what you care about. The defenses are different.
Generic phishing goes out to a million inboxes hoping for a 1% click rate. Spear phishing goes to one inbox — yours — and uses everything the attacker has learned about you to make it land. The defenses against mass phishing don't work as well against spear phishing. You need different habits for the targeted version.
What attackers research before sending
LinkedIn, Facebook, public news articles, your company website, the tone of emails they've already read from inside your organization. A good spear phish references your actual coworkers, your recent project, your upcoming conference, or your family by name. It does not read like a phishing email. It reads like a real message from a real person — because the attacker has spent hours making it that way.
Real spear phishes we've seen
“A CFO received an email from the 'CEO' referencing a board meeting that had just happened, asking for an urgent wire.”
Red flag: Attacker had been reading a board member's email for weeks. Perfect context. Only caught because the company policy required a verbal callback.
“A VP at a small firm got an email referencing her daughter's soccer team by name, pretending to be a parent.”
Red flag: The attacker had pulled the info from Facebook. The attached 'team schedule' was malware. She opened it because it was so specific.
Defenses that still work
- Verbal callback for anything money-related, always, regardless of how legitimate the sender looks.
- DMARC, DKIM, and SPF configured strictly — kills most lookalike domain attempts.
- Limit what leadership shares publicly — trips, family info, travel schedules — on social media.
- Train high-value users (executives, finance, HR) specifically on spear phishing.
- Assume targeting. The fact that an email is specific isn't evidence it's real.
Target your training.
We run executive-focused phishing simulations that mirror how real targeted attacks look. Worth a call if your leadership is high-value.
- 1Audit what leadership is publishing publicly — LinkedIn, Facebook, company website bios.
- 2Configure DMARC to reject (not quarantine) spoofed mail. It's a one-time setup.
- 3Require verbal callback for any financial or HR request, no matter how real it looks.
- 4Train executives and finance staff specifically on spear phishing — mass training doesn't cover it.
- 5Assume attackers have already read inside your org. Verify accordingly.
Want help securing your business?
Schedule a quick security review with our team. 15 minutes, no sales pressure — walk away knowing exactly where your gaps are.
Schedule a quick security reviewKeep reading
Stop clicking links in emails.
Most cyberattacks start with a simple click. Here's why the click matters more than the email, and the one habit that stops most of them.
ReadTip #3 · PhishingSpot the urgency trick in phishing emails.
If an email is pressuring you to act right now, slow down. Urgency is the most common phishing tactic because it bypasses the part of your brain that thinks critically.
Read