What Is Spear Phishing? How Targeted Email Attacks Work (2026 Guide)

Spear phishing vs. regular phishing

The core difference is personalization and targeting.

Dimension	Regular phishing	Spear phishing
Target	Anyone — millions at once	Specific person or organization
Personalization	Generic ("Dear Customer")	Real name, role, colleagues, context
Research required	None	Hours to days per target
Volume per campaign	Millions of emails	One to dozens
Success rate	~3%	~30% (10× higher)
Detection difficulty	Low–medium	High — evades standard filters

How attackers research their targets

Spear phishing depends on open source intelligence (OSINT) — publicly available information the attacker assembles into a targeting profile before writing a single word.

Names, roles, reporting structures, recent job changes, projects mentioned in posts, conference talks, shared connections — LinkedIn is the attacker's primary research tool.

Company website

Executive names and bios, email format (first.last@company.com), press releases announcing deals and partnerships that can be impersonated.

Data breach databases

Leaked email addresses, passwords (useful for "breach-enhanced" lures), and employment records from past data breaches — all available on dark web markets for cents per record.

Social media

Travel schedules, conference attendance, family details, personal interests — anything that creates false familiarity.

Public filings

SEC filings for public companies reveal financial details, vendor relationships, and pending transactions — all usable as attack context.

Google / news

Recent media mentions, speaking engagements, published articles — anything establishing real-world context.

6 common spear phishing techniques

Colleague impersonation

The attacker appears to be a known co-worker — using their real name in the display field — and makes a routine-sounding request: forwarding a file, updating a payment detail, or sharing credentials for a shared system. Because the request comes from a "trusted" name, the recipient skips the verification step they would apply to a stranger.

Real example:"Hi — Marcus asked me to follow up on the vendor invoice from last week. Can you send over the updated bank details? He's offline today."

Executive impersonation (whaling)

The attacker impersonates a CEO, CFO, or VP and emails a subordinate — typically in finance — requesting an urgent wire transfer or confidential data disclosure. The authority gradient discourages the recipient from questioning the request, and the confidentiality instruction prevents them from verifying it with colleagues.

Real example:"I'm in a board meeting and cannot be reached by phone. Please initiate a $62,000 wire to close a vendor agreement today. Keep this confidential until I return."

Vendor impersonation

The attacker researches a real supplier the target works with and sends a "bank account change" notification. Future invoice payments are redirected to an attacker-controlled account. Losses are often only discovered when the real vendor follows up about non-payment — sometimes months later.

Real example:"Our banking partner has changed. Please update your records: all future invoices should be paid to the following new account effective immediately."

Shared-context lure

The attacker references a real event the target recently participated in — a conference, LinkedIn post, webinar, or published article — to establish false familiarity. The target assumes only a genuine attendee would know about this context, lowering their guard.

Real example:"I caught your talk at the SaaStr conference on Tuesday — great points on PLG. I'm sending over a one-pager on what we're building; would love five minutes."

Breach-enhanced targeting

Attackers use leaked credential databases (available on dark web markets) to include a real password, partial credit card number, or other personal data in the email body — creating an impression that the attacker has compromised the victim's device, generating panic that overrides careful verification.

Real example:"I know your password is [real old password from a breach]. I have access to your webcam. Pay $1,200 in Bitcoin or I will share the footage with your contacts."

Account takeover escalation

The attacker first compromises a lower-value email account (via mass phishing), then uses the real, trusted account to attack its contacts. Because the email genuinely originates from a known address, there is no domain mismatch to detect. This is the hardest spear phishing variant to catch automatically.

Real example:No suspicious sender — the attack comes from a real colleague's hijacked account after their credentials were stolen in an earlier breach.

Why standard email filters miss spear phishing

No malicious URLs

URL reputation engines catch links to known phishing domains. Spear phishing emails often contain no URLs at all — or link to legitimate services like Google Drive, Dropbox, or OneDrive to deliver a malicious payload outside the email itself.

No malicious attachments

Attachment sandboxes analyze files for malware. Many spear phishing attacks use no attachment — or use clean Office documents that require the recipient to "enable macros" manually, which happens after sandbox analysis.

Low send volume

Spam filters are calibrated for mass campaigns: the same email sent to thousands of addresses triggers pattern matching. A spear phishing campaign targeting three finance employees at one company sends three emails — invisible to volume-based detection.

Clean sending infrastructure

Professional spear phishing actors register lookalike domains (m1crosoft.com, paypa1.com) with legitimate hosting providers, warm up the sending reputation over days, and pass basic SPF/DKIM checks for the fake domain.

Personalized content bypasses generic rules

Rules like "contains the word 'urgent' and requests wire transfer" catch generic attacks. A spear phishing email using the target's real name, a real colleague's name, and a specific business context bypasses keyword-based rules.

Behavioral signals that detect spear phishing

Even without content analysis, structural and behavioral signals can flag spear phishing.

Signal	What it means	Risk
Display-name impersonation	Sender display name matches a known contact but the actual email address does not.	High
Lookalike domain substitution	Domain uses visually similar characters: rn → m, 0 → o, 1 → l, or Unicode homoglyphs.	High
Reply-To mismatch	Visible From address is trusted; Reply-To header redirects responses to an attacker-controlled address.	High
Executive name + payment urgency	Display name matches an executive role keyword (CEO, CFO, Director) combined with wire/payment/transfer language.	High
DMARC p=none on brand domain	High-value brand domain has DMARC policy set to "none" — owner monitors but does not reject failing mail.	Medium
First-contact from lookalike	No prior email thread history with this domain, and the domain registered less than 90 days ago.	Medium

How to protect yourself from spear phishing

1.
Always check the actual email address — Display names can be anything — the real indicator is the address in angle brackets. "Sarah Johnson <billing@m1crosoft.com>" looks fine at a glance. Click the sender name to reveal the actual address.
2.
Verify unusual requests out-of-band — Any email requesting a payment, credential, or sensitive action should be verified through a separate channel — a phone call to a known number, an in-person conversation, or a message through your organization's internal system. Never call a phone number provided in the suspicious email itself.
3.
Check Reply-To before responding — Before replying to any email involving money or credentials, press Reply and check if the response address matches the From address. A mismatch is a major red flag.
4.
Reduce your OSINT footprint — Audit what an attacker can learn about you from LinkedIn, company websites, and social media. Make your email address non-obvious in public profiles when possible.
5.
Use hardware security keys for important accounts — Even if an attacker captures your password through a spear phishing portal, a hardware key (YubiKey, Google Titan) prevents account access — the key validates the domain as part of authentication.
6.
Let automated detection help — Gorganizer's scoring engine analyzes structural signals — domain age, Reply-To mismatches, display-name impersonation, lookalike character substitution — that are invisible to the human eye but reliable indicators of spear phishing infrastructure.

Frequently asked questions

What is the difference between phishing and spear phishing?

Phishing is untargeted — the same email goes to millions of recipients hoping someone clicks. Spear phishing is targeted — the attacker researches a specific person or organization and crafts a personalized email that references real names, relationships, recent events, or shared context to appear genuinely relevant. Spear phishing has a much higher success rate precisely because it is not generic.

What is the difference between spear phishing and whaling?

Whaling is a specific type of spear phishing that targets C-suite executives or other high-value individuals — CEOs, CFOs, general counsels, or system administrators with elevated privileges. The term "whaling" reflects the size of the target. The techniques are identical; only the seniority and expected payoff differ. A spear phishing attack on any employee is spear phishing; the same attack on the CFO is called whaling.

How do attackers research spear phishing targets?

Attackers use open source intelligence (OSINT): LinkedIn profiles reveal names, roles, reporting structures, and recent projects. Company websites list executives, contact formats, and business relationships. Public data breach databases contain email addresses and sometimes passwords. Social media reveals travel schedules, conference attendance, and personal context. Press releases announce deals and partnerships that can be impersonated. This research can take hours to days for a single high-value target.

Why do standard spam filters miss spear phishing emails?

Traditional spam filters look for known malicious URLs, known spam-sending domains, and malicious attachments. A well-crafted spear phishing email contains none of these. It arrives from a plausible-looking address, may contain no links (or links to legitimate services like Google Drive), includes genuine personal context, and is sent in very small volume — sometimes to a single recipient. Volume-based filtering is blind to single-message campaigns.

What should I do if I receive a suspicious targeted email?

Do not click any links or open any attachments. Verify the request through a separate communication channel — phone call to a known number or in-person confirmation. Check the actual email address (not just the display name). Look for Reply-To mismatches: click "Reply" and see if the response address differs from the From address. Report suspicious emails to your IT security team. If a credential is requested, never enter it via a link from an email — always navigate directly to the site.

Can Gorganizer detect spear phishing in my Gmail inbox?

Gorganizer's scoring engine applies over 1,751 detection signals including dedicated spear phishing detectors: display-name impersonation of known contacts, lookalike domain character substitution (paypa1.com vs paypal.com), Reply-To mismatch detection, executive-name-in-display-name combined with payment urgency language, and DMARC policy failures on high-value brand domains. These structural and behavioral signals catch spear phishing even when email content appears legitimate and passes basic spam checks.

Scan your inbox for spear phishing signals

Gorganizer applies 1,751+ detection signals — including display-name impersonation, lookalike domains, and Reply-To mismatches — to flag targeted attacks you would never spot manually.

Scan my Gmail inbox — $4.99 one-time

No subscription. No data sold. Scans run server-side — we never store email content.

What Is Spear Phishing?