What is spear phishing?

Spear phishing is a targeted form of phishing in which attackers tailor a message to a specific person, team, or organization so it looks more credible than a generic scam. NIST defines spear phishing as a highly targeted phishing attack, and NIST’s broader phishing guidance explains that these attacks aim to convince people to give sensitive information to an imposter. CISA also describes spear phishing as phishing that targets an individual using personal details about them.

Understanding spear phishing attacks

What separates spear phishing from ordinary phishing is the amount of research behind it. Instead of sending the same message to thousands of people, attackers study the target first using company websites, LinkedIn profiles, press releases, supplier information, job titles, and conference appearances so the message looks routine and believable. Academic research describes spear phishing as a form of tailored social engineering directed at a specific person, company, or industry, and notes that the approach traditionally requires major preparation because of the research involved. That preparation remains effective because phishing is still closely linked to real breaches. The Verizon 2025 Data Breach Investigations Report found the human element involved in about 60% of breaches, while its small business snapshot shows social engineering actions are largely driven by phishing and pretexting. During the same reporting period, third-party involvement in breaches increased from 15% to 30%, giving attackers more opportunities to impersonate trusted contacts in everyday business communication. Data from Microsoft shows a similar pattern on the identity side, reporting that password-based attacks account for more than 99% of daily identity attacks, meaning stolen or phished credentials remain central to many intrusions, while modern multi-factor authentication can reduce the risk of identity compromise by more than 99%.

Read also: What is social engineering?

The impact of spear phishing

The damage from spear phishing often begins with a single compromised account and then spreads across an organization. Once attackers gain access, they can read email conversations, access shared files, view internal contact lists, follow approval chains, and exploit password reset processes. That foothold can lead to data theft, internal impersonation, ransomware access, or payment diversion fraud. Guidance from the National Institute of Standards and Technology explains that phishing campaigns frequently target passwords, PINs, and one-time passcodes because those credentials allow attackers to take control of accounts and systems. Broader cybercrime statistics show the scale of the problem. The Federal Bureau of Investigation reported 859,532 complaints and $16.6 billion in total losses in its 2024 Internet Crime Complaint Center report, including 333,981 cyber-enabled fraud cases with $13.7 billion in losses. One of the most direct financial outcomes is business email compromise, where attackers impersonate trusted individuals to trick employees into sending money or sensitive information. Microsoft said that when it disrupted RedVDS-linked fraud infrastructure in January 2026, investigators found more than 191,000 organizations worldwide had been compromised or fraudulently accessed since September 2025, and that over 2,600 virtual machines were sending an average of one million phishing messages per day to Microsoft customers during a single month.

Why spear phishing is harder to detect

Spear phishing is difficult to detect because the messages often resemble normal workplace communication. The sender name may appear familiar, the topic may relate to an active project, and the tone may match internal language. Research on phishing susceptibility shows that social engineering cues such as authority can strongly influence whether people trust a message, which helps explain why emails impersonating executives, finance teams, or vendors are so effective. Studies shared on arXiv examine how these psychological signals shape user behavior. The scale of phishing activity also continues to grow. Microsoft reports blocking around 600 million cyberattacks per day, noting in a January 2026 analysis of RedVDS infrastructure that most phishing attempts are stopped, however some still reach inboxes because of the sheer volume. Industry research from Proofpoint adds further context, reporting that 71% of surveyed organizations experienced at least one successful phishing attack in 2023, while 68% of employees admitted taking actions that could weaken security, alongside a 144% increase in reports of financial penalties and a 50% increase in reputational damage linked to phishing incidents.

Recognizing spear phishing attempts

Warning signs of spear phishing are often contextual rather than visual. A message may look polished and contain no spelling mistakes. Stronger clues include unusual requests, sudden urgency, attempts to bypass normal approval steps, login links that do not match the real service, or payment change requests sent only by email. Guidance from the National Institute of Standards and Technology explains that phishing can occur across multiple channels and often involves impersonated websites, relay techniques, or real-time deception to steal sensitive information. Because of this, appearance alone is no longer a reliable indicator. If an email asks for credentials, payment details, document access, or multi-factor authentication approval, it should be verified through a separate trusted channel. Research from Microsoft also shows why verification makes a difference. Once attackers obtain valid usernames and passwords, multi-factor authentication can still block unauthorized access in more than 99 percent of cases when properly enforced.

Best practices

Reducing spear phishing risk requires more than awareness training. Security experts say organizations must combine employee education with technical controls and clear verification procedures. Requests involving payments, bank detail changes, privileged access, or sensitive files should be confirmed through a second communication channel, such as a phone call or internal messaging platform. According to Microsoft, practical protections include phishing-resistant multi-factor authentication, conditional access policies that restrict risky logins, monitoring connections from known malicious IP addresses, and stronger credential hygiene, such as limiting password reuse. Research from Proofpoint shows that training alone cannot stop spear phishing because employees often act quickly when messages create urgency or appear convenient. Findings from the Paubox 2026 Healthcare Email Security Report add another layer of context, warning that as AI-assisted workflows increase the speed of communication, manual judgment becomes less reliable. The report notes a 47 percent increase in attacks that evade native email defenses and recommends “security by design,” meaning automated safeguards that block impersonation and spear phishing attempts before they reach employee inboxes.

Learn more: Paubox Inbound Email Security | Generative AI email security

In the news

Recent cases show that spear phishing remains active across multiple sectors, including healthcare. In September 2025, Microsoft said it seized 338 websites linked to the RaccoonO365 phishing service, which used Microsoft branding in targeted emails, attachments, and fake login pages to steal credentials. The American Hospital Association reported that the campaign targeted at least 20 U.S. healthcare organizations and captured more than 5,000 Microsoft account credentials from victims in 94 countries since July 2024. Separately, the Cybersecurity and Infrastructure Security Agency warned in October 2024 about a large spear phishing campaign distributing malicious Remote Desktop Protocol (RDP) attachments, showing that these attacks are also used to deliver malware and gain initial access to networks.

FAQs

How is spear phishing different from regular phishing?

Regular phishing usually sends one generic message to many people. Spear phishing is tailored to a specific target using personal, professional, or organizational details to make the message more believable.

Why are spear phishing attacks so effective?

They work because they borrow the look and timing of normal communication. Research and threat reporting show that authority, urgency, and familiarity remain strong social engineering triggers, especially when the message matches real business activity.

What do attackers usually want from a spear phishing attack?

Most want credentials, access, money, or sensitive information. Microsoft and NIST both point to passwords, one-time codes, and trusted business workflows as common targets because they let attackers move from one email to broader account or network access.

Can MFA stop spear phishing?

It can greatly reduce the damage, however not every attack ends at the password stage. Microsoft says MFA blocks access in over 99% of cases when attackers have valid usernames and passwords, although attackers also try token theft, consent phishing, and other methods that work around weaker setups.

What is the most practical way to reduce spear phishing risk?

Use layered defenses. Verification for sensitive requests, phishing-resistant MFA, email authentication, conditional access, identity monitoring, and user training work better together than any single measure on its own.