Spear-phishing
A targeted phishing attack crafted for a specific person or small group, using public OSINT to reach a credibility that bulk phishing cannot achieve.
Spear-phishing is a phishing attack tailored to a specific individual or small group, using reconnaissance — LinkedIn, public calendars, press releases, GitHub commits, breach data — to make the lure plausible enough to slip past both filter and reader. Where bulk phishing is a numbers game, spear-phishing is a research exercise: the attacker invests an hour or two of OSINT to land one credential, one wire transfer, or one OAuth grant from a high-value target.
The targets are predictable:
- Executives (CEO, CFO) — for business email compromise and approval-chain manipulation.
- Finance and accounts payable — for fake-supplier IBAN changes and urgent-wire pretexts.
- IT administrators and DevOps — for privileged credentials, MFA enrollment hijack, cloud console access.
- Executive assistants — for calendar manipulation and inbox-rule installation that enables longer-running compromise.
- Recently public new hires — fresh enough to not recognize internal signals, often visible on LinkedIn within days of starting.
Defining properties:
- Reconnaissance-driven. The attacker knows the target’s role, recent activity, manager, and current project context. Exposed calendars and public Drive folders quietly fuel this.
- Low volume, high yield. A single spear-phishing email can produce a seven-figure loss; the Verizon DBIR consistently shows targeted social-engineering incidents in the top of the median-loss table.
- Filter-resistant. Because volume is low and content is bespoke, signature- and reputation-based filters underperform; behavior at the human end is the load-bearing control.
- AI-amplified. Generative AI now produces the OSINT-fitted lure in seconds — the cost-per-target has collapsed, and the volume of “spear-quality” attacks has risen accordingly.
The defensive lever is not filter strength alone. It is the reflex — built through realistic simulation and just-in-time nudges — to verify out-of-band on any out-of-pattern request, and to assume that anything publicly visible about the org is already in the attacker’s brief.
Related terms
- PhishingA social-engineering attack that impersonates a trusted entity to trick a person into surrendering credentials, money, or access — by email, SMS, voice, QR code, or OAuth consent.
- Business Email Compromise (BEC)A targeted fraud in which an attacker impersonates an executive, supplier, or counsel to redirect a legitimate payment — historically the single most financially damaging cybercrime category.
- Social engineeringManipulating a person — rather than exploiting a software flaw — to obtain credentials, money, or access; the umbrella category under which phishing, vishing, and BEC sit.
- OAuth phishing / consent phishingAn attack that tricks a user into granting a malicious third-party app persistent OAuth access to their mailbox, files, or workspace — bypassing MFA entirely.
- Exposed calendarA SaaS calendar — typically Google Calendar or Microsoft 365 — whose visibility setting leaks meeting titles, attendees, locations, or links to anyone in the domain or on the public internet.