Spear Phishing: The Ultimate Guide To Seeing & Stopping Spear Phishing

When it comes to cyberattacks, the human dimension of the cybersecurity environment is a complex vulnerability. Without awareness, any employee, contractor or user is the most unprotected asset. A person who can be easily exploited with a social engineering attack.

Because of inherent human characteristics — ignorance, fear, misplaced trust — people are by nature very susceptible to being manipulated to let down their guard. They then carry out actions that are contrary to the norm, such as clicking on links or giving away sensitive information. Social engineering attacks take advantage of these attributes, as well as ineffective organizational and technology security controls.

Phishing vs spear phishing

Phishing is one such attack. Here, attackers send an illegitimate email falsely claiming to be from a legitimate site. The goal is to acquire the user's personal or account information. Phishing emails redirect users to fake webpages that mimic trustworthy sites, which prompt them to submit their personal information.

An advanced form of phishing, spear phishing involves a direct, targeted attack aimed at specific individuals through specialized social engineering content.

In this article, we will examine the latest techniques in spear phishing, and also opportunities that exists to mitigate these threats by implementing the right people, organizational and technological controls.

How spear phishing works

The majority of phishing emails are generic emails sent to a random population. Spear phishing emails are a small subset that require two pieces:

  • Doing advanced research on the target.
  • Crafting a customized attack.

Together, these efforts invariably lead to higher response rates. The Proofpoint State of the Phish 2023 report highlighted that spear phishing prevalence was approximately 74% of attacks in 2022, as compared to bulk phishing at 85%.

As long as email remains a primary communication channel in almost every corporate environment, the likelihood of sophisticated spear phishing attacks will remain high.

(Learn how to prevent spear phishing with Splunk.)

Spear phishing phases

Similar to other phishing attacks, there are three main phases in a spear phishing attack:


1. Bait

This is the reconnaissance stage where specific information about the target’s identity and area of interest is gathered. This PII may be obtained in several ways:

  • Directly elicited.
  • Scraped off the internet (especially social media sites).
  • Purchased from cybercrime brokers who may have obtained it from previous successful hacks.

For a spear phish, detailed information about the target’s organizational information is critical in enhancing the probability of a successful attack. These details can include function (e.g., division, department), role and business operations — all of which point specifically to what the target handles that may be applied in the attack.

2. Hook

Here, the information garnered from the bait is applied in crafting an appropriate email message for the target. This is different from generic campaign messages sent through mass malware spam, as the spear phishing attack involves a customized message crafted through social engineering techniques, such as posing as a trusted source, or presenting information that the target is familiar with.

A replied email obtained from a data breach can be one such avenue for a spear phish attack. According to MITRE, the spear phishing email would involve one or more of 3 sub-techniques of planting malware through it:

  • Spearphishing Attachment (T1566.001). The email can contain an attachment (Microsoft Office file, PDF, ZIP or executable) that is named based on the context of the email content. The email usually includes plausible reasons why the target should open the attachment, often based on urgency or business criticality.
  • Spearphishing Link (T1566.002). The email can contain a hyperlink which is tied to the context of the email, and includes encouraging messages for the target to click it immediately. The attackers may design the link to mimic well known websites or data stores such as SharePoint folders or include social engineering text designed to convince the target to paste the link into a web browser.
  • Spearfishing via Service (T1566.003). Here, the communication with the spear phishing target is initiated via third party services rather than enterprise email. These services include social media services, personal webmail, and other non-enterprise-controlled services which establish a rapport with the target with the aim of getting them hooked into accepting the message and responding to its instructions within the corporate domain.

3. Catch

This is the final phase of the attack where the target is converted into a victim after they respond to the hook. The social engineering techniques come into play, as the victim ends up circumventing existing checks and balances such as bypassing email restrictions to open attachments and click links.

This allows the malicious code to be planted into the victim’s device, or the victim ends up following instructions to carry out the attacker’s plans such as processing a supplier payment or providing access to confidential data.

Spear phishing trends

Spear phishing is rated as a high value attack since the motivation for them is mainly financial fraud or related crimes. The SlashNext 2022 State of Phishing report found a 54% rise in zero-hour (never seen before) threats, with a 78% focus on delivering well-crafted zero-hour spear phishing attacks. Most of these attacks involved credential harvesting, while the rest included scams, malware, ransomware and exploits.

Business email compromise attacks

A specific application of spear phishing is business email compromise (BEC) attacks. These tend to have a high success rate since they involve spoofed emails that look like they’re coming from a trusted source — a company executive, employee or vendor. The 2022 Microsoft Digital Defense report reported BEC emails as 0.6% of all phishing emails, yet are the costliest financial cybercrime, with an estimated $2.4 billion USD in adjusted losses in 2021, representing more than 59% of the top five internet crime losses globally.


From a financial perspective, whaling is usually at the forefront of spear phishing, as it involves targeted phishing attacks, aimed at senior executives such as CEOs, CISOs and CFOs. Whaling attacks are designed to encourage victims to perform a secondary action, such as initiating a wire transfer of funds.

However, an article by Forbes indicates a shift in tactics has seen mid-level employees being impersonated more often than company executives. This is likely due to the C-Suite occupiers facing greater scrutiny — which in turn builds their awareness and being wiser to such forms of attack.

Generative AI

The recent spectacular rise of generative AI like ChatGPT has also thrown a spanner in the works, in terms of detecting spear phishing attacks. Previously, it was easy to identify such emails due to their poor grammar, misspelled text or unfamiliar salutation.

But with generative AI able to create well-written, personal emails with infinite variations, the chances of the target or anti-phishing solutions being able to detect such emails is only going to get harder, according to Dark Reading.

(Explore what generative AI means for cybersecurity: it’s good and bad.)

Defense & protection from spear phishing

The ISO/IEC 27005:2022 guidance on managing information security risks identifies insufficient security training as well as poor security awareness as examples of personnel vulnerabilities that may be exploited by social engineering attacks.

Anti-phishing solutions embedded to corporate email systems may provide a barrier to spear phishing emails going through, triggering blocking or quarantine when flagging standard signs such as:

  • Unfamiliar sender’s email in the Received header
  • Suspicious links or attachments
  • Urgency to perform non-standard actions such as processing payments

But at the end of the day, the recipient — you — remains the first line of defense and must be regularly trained to identify such emails, countercheck even with phone calls, and when in doubt be able to reach IT support quickly for assistance. Regular internal spear phishing campaigns also play a crucial role in inducing a heightened state of awareness within the corporate environment.

In addition, segregation of roles and limiting of privileged credentials through organizational policies and IT systems can limit the impact of a spear phishing attack. For example, a maker-checker scenario can prevent a victim from raising and executing the same payment transaction. However, this may not be practical for solo-preneurs or small-sized organizations.

What is Splunk?

This posting does not necessarily represent Splunk's position, strategies or opinion.

Joseph Nduhiu
Posted by

Joseph Nduhiu

Joseph is an ICT consultant and trainer with over 18 years of global experience across multiple sectors. His passion is assisting business units and IT departments in executing their digital transformation strategies and streamlining their operations in line with global standards and best practices. His areas of expertise include business process reengineering, IT service management, project management and cyber resilience. You can connect with Joseph @josephnduhio and on LinkedIn.