Spear-Phishing
A targeted phishing attack aimed at a specific person or organization—tailored with personal details, colleagues' names, and current context. Significantly more effective than generic phishing and harder to detect.
Spear phishing is a targeted form of phishing. While generic phishing sends out millions of emails with identical content and relies on statistical probability, spear phishing tailors each attack individually.
Generic Phishing vs. Spear Phishing
| Generic Phishing | Spear Phishing | |
|---|---|---|
| Target audience | Any email addresses | Specific person(s) |
| Content | Generic ("Your account will be suspended") | Personalized with real details |
| Effort | Minimal | Hours to days of research |
| Click-through rate | 5–30% | 50–70% with good context |
| Detection | Easier (obvious red flags) | Very difficult |
How Attackers Prepare Spear Phishing Attacks
OSINT Phase (Open Source Intelligence):
Attackers gather information from public sources:
- LinkedIn: Name, title, department, colleagues’ names, current projects, technologies
- Company website: Organizational chart, news, current job postings, partnerships
- XING, Twitter/X: Professional interests, conference attendance
- Press releases: M&A activities, new partnerships, leadership changes
- GitHub: Technologies, code comments with internal hostnames
- Google: Employee names from old presentations, internal documents
Pretext Development:
A credible story is constructed using the collected information:
- "Hello [First Name], I’m [real colleague’s name] from the IT department. I need your quick confirmation regarding our Microsoft 365 migration project..."
- "Regarding our collaboration with [real partner company]—can you approve this invoice?"
- Fake email from the "CEO" with internal project context
Whaling - Spear Phishing at the Executive Level
Whaling refers to spear-phishing specifically targeting executives (CEO, CFO, CISO). These attacks are particularly valuable to attackers because:
- Executives have decision-making authority over transactions
- Their authority is exploited for CEO fraud
- They have access to highly sensitive information
Whaling emails typically masquerade as:
- Summonses from government agencies or courts
- Tax inquiries from the IRS
- Business inquiries from investors or major clients
- Confidential merger discussions
Protective Measures
Technical:
- DMARC/DKIM/SPF prevents email spoofing of your own domain
- Anti-phishing filters in the email gateway (detects lookalike domains, DKIM anomalies)
- Multi-factor authentication (prevents account takeover even if credentials are compromised)
- FIDO2/Passkeys for phishing-resistant authentication
Procedural:
- Mandatory verification for payment requests via a second channel (callback)
- Dual-control principle for transfers exceeding a threshold
- Do not click on links in unexpected emails—enter the URL directly
Awareness:
- Spear-phishing simulations with real-world context (colleagues’ names, current projects)
- Training specifically targeting executives (CEO fraud scenarios)
- Reporting suspicious emails without fear of consequences
Spear Phishing as an APT Entry Vector
State-sponsored attackers (APTs) systematically use spear phishing as an initial entry vector:
- Months-long OSINT phase with detailed profiling of the target
- Tailored malware in seemingly harmless attachments (Word document, PDF)
- Zero-day exploits in attachments for maximum undetected access
The BSI and CISA regularly report on state-sponsored spear-phishing campaigns targeting government agencies, defense contractors, and research institutions in Germany.
