Cybersecurity Glossary

What is Spear Phishing?

Q: What’s the cost of a successful spear phishing attack?

IBM reports the average breach starting with phishing costs $4.76 million. For SMBs, a successful BEC-style spear phish can easily cost $50,000-$500,000 in a single wire.

Spear phishing is a highly targeted form of phishing aimed at specific individuals or small groups. Attackers research their targets, reference real relationships, and personalize messages so convincingly that standard anti-phishing filters and generic training often miss them.

Blocks 99% of password attacks

Required by most cyber insurance

Core to SOC 2, HIPAA, PCI

How It Works

How Spear Phishing works

Three-step view of how it operates in practice.

Reconnaissance

The attacker studies LinkedIn, public press, your website, and social media to build a profile of the target and their relationships.

Pretext

A plausible scenario is crafted — a referenced meeting, a mutual contact, a project in flight. The pretext is what makes the message believable.

Execute

The message arrives with a link to a credential-harvesting site, a malicious attachment, or a fraudulent request for action.

Spear Phishing Variants

Targets attackers prefer

A clear breakdown of the common variants.

Target

Executives

High signing authority, broad inbox access, often skip security reviews. Called whaling.

Most common

Finance & AP

Time-based one-time codes from an app like Microsoft Authenticator or Google Authenticator. Offline-capable and phishing-resistant against many attacks.

Convenient

HR

The user approves a sign-in with a tap on their phone. Easy to use but vulnerable to MFA fatigue attacks — always pair with number matching.

Strongest

IT admins

FIDO2 keys like YubiKey, or device-bound passkeys. Phishing-resistant by design — the key will not authenticate against a fake domain.

Why It Matters

Why Spear Phishing matters for SMBs

Spear phishing is a highly targeted form of phishing aimed at specific individuals or small groups.

65%

of active groups use spear phishing as the primary initial access technique

Source: Verizon DBIR, 2024

Pitfalls

Common Spear Phishing mistakes

Assuming training alone catches spear phishingThe best spear phishing looks indistinguishable from real email. Technical controls (MFA, sandboxing, anomaly detection) matter more.
No email sender authAdmins, finance, and anyone with access to money or sensitive data should use an app or hardware key — never SMS alone.
Ignoring lookalike domainsTypo-squatted domains (rnicrosoft.com, lo9ical.net) are still widely used. Monitor for lookalikes targeting your brand.
Exec accounts with weak MFAExecutives often resist stronger MFA ("I’m busy"). They’re target #1 — this is where phishing-resistant MFA belongs first.

Common Questions

Spear Phishing frequently asked questions

What’s the difference between spear phishing and whaling?⌄

Whaling is spear phishing aimed specifically at senior executives. All whaling is spear phishing; not all spear phishing is whaling.

Can email security tools catch spear phishing?⌄

Modern tools with behavioral models catch most obvious spear phishing. The highly-targeted, context-rich attacks still require user vigilance and technical compensating controls.

How do we train against spear phishing effectively?⌄

Include examples drawn from real spear-phishing attempts your company has seen. Generic training with "fake Nigerian prince" examples doesn’t prepare anyone for a well-crafted spear phish.

Does MFA stop spear phishing?⌄

MFA stops the credential theft outcome of spear phishing. It doesn’t stop spear phishing that delivers malware or tricks users into authorizing a transaction.

What’s the cost of a successful spear phishing attack?⌄

Have a documented recovery process before it happens. Typically an administrator verifies the user's identity through an out-of-band channel, temporarily disables MFA, and re-enrolls the user with a new device. Backup codes or a secondary security key reduce downtime.

Related Services

LogicalNet services related to MFA

Identity & Access Protection Primary

MFA enforcement, conditional access, least privilege, and identity monitoring.

Email Security

Phishing defense, account-takeover monitoring, and secure email gateways.

Related Terms

Executives getting targeted?

Talk to a LogicalNet identity expert. We will review your current environment, recommend the right MFA methods for each group of users, and help you deploy without disrupting the business.

Schedule Consult Identity Services

No commitment · Local engineers · Response within 1 business day