What is spear phishing?

Nov. 16, 2020

Though it might sound like a fun activity for a tropical vacation, spear phishing actually refers to a targeted, electronic attack on your personal information.

To understand spear phishing, you first must understand phishing itself. Phishing is when an entity makes a fraudulent attempt to learn your usernames, passwords, bank information, or other personal details by making itself appear trustworthy. While phishing attacks are typically generic and non-targeted, spear phishing is an updated type of this practice that is tailored to its target.

If you think an email seems suspicious, it’s best to investigate further. Read on for tips on how to identify and combat spear phishing attacks.

What is spear phishing?

There’s a lot of information about you on the Internet. Each time you make a social media post or fill out a BuzzFeed quiz, for example, more of your personal information is uploaded to the web. Before you know it, all kinds of things from the location of your home to your pet’s name might have found their way online.

Spear phishers find and use this data to make themselves appear trustworthy and get you to give them more of your personal information. Once they have enough information, they send you an email. While some spam emails are easily identified, spear phishing emails may be less so. They might genuinely look like an email from a friend, your boss, or a store you like to visit.

Spear phishing vs. phishing

Phishing attacks are relatively low stakes, and usually they are easier to recognize than spear phishing attacks. Phishing emails are sent to hundreds of recipients simultaneously, and they do not contain personal information.

Spear phishers will pose as either your friend, boss, family member, or a social media organization to gain your trust and fool you into giving them your information. These emails are well-researched and personal, making it harder to distinguish between reality and fiction.

Spear phishing vs. whaling

While spear phishing may target “smaller fish” like a mid-tier company employee or a random target chosen on social media, whaling goes after the “big fish.” These attacks often target executives like CEOs or CFOs in an attempt to gather larger payouts and more sensitive data.

While spear phishers may pose as your boss or friend, those conducting whaling attacks will email a company’s executive posing as an employee with a question or a client asking for an invoice to get the information they want.

How to identify a spear phishing attack

Though a spear phishing email generally looks like a regular email from a friend or business, there are several things that mark it as something more sinister.

  1. Check the sender address: Phishers can usually mimic the name of a person or organization you get emails from regularly, but they might be unable to perfectly mimic the original  tone. If you think an email might be suspicious, check the sender’s email address — typically, there will be subtle changes, such as the letter “o” replaced with a “0.”
  2. Verify links:  If the email includes a hyperlink, a quick way to check its legitimacy is to hover over the URL. Once your mouse is hovered over the link, the full URL that is being linked to will appear. If it seems suspicious, don’t click it.
  3. Make a phone call:  In some cases, you might be fooled by a phishing email that appears to be from   a friend or trusted person. In these cases, if you think it’s odd that a friend would be emailing you to ask for your password or username, it could be best to give them a call, and ask if it’s legit. Keep in mind that you shouldn’t share passwords or usernames.

How to protect yourself against spear phishing

Spear phishing might be more deceptive and savvier than original forms of phishing, but a lot of the same kinds of defensive action you take are still valid safety measures. Being aware and using caution online can help you protect yourself and your information.

  • Avoid providing personal information: Never give out more information than you need to online.
  • Boost security settings: Many social media platforms allow you to boost your security settings so your account is private and protected. Doing so means you’re giving spear phishers less information to fool you with.
  • Sign up sparingly: Don’t sign up for apps on social networks unless they’re absolutely necessary and come from reputable sources. Remember that even reputable apps are vulnerable to attack.
  • Be smart with your passwords: Use strong passwords and vary your passwords across accounts. Password management apps can generate strong passwords for you and store them for you, so all you have to do is unlock the app to access your account.
  • Keep your software updated: Make sure your internet security and operating systems are up to date. When your applications are up to date, it’ll be harder for a spear phisher to get through.

What to do if you click on a phishing link:

It’s easy to get tricked by spear phishing attacks. If you do click on a phishing link in an email or downloaded a suspicious attachment, here’s what to do next:

  • Disconnect from the internet: Turning off your Wi-Fi or pulling out your ethernet cable can help stop the immediate spread of the malware.
  • Backup your files: It’s smart to frequently back up your files, but in the event of an attack it becomes more crucial. Backup your important files to an external source so you’ll still have them if the cybercriminal deletes your data.
  • Change your passwords: Once a hacker gains access to one of your accounts, they can work their way through others. If you think an account has been compromised, change all of your passwords as soon as possible, and consider opting for two-factor authentication where possible.
  • Scan your hardware: Using security software can help identify and eradicate the threat.

Becoming the victim of a spear phishing attack can feel invasive and unsettling, on top of leaving you with the clean-up task. It could take weeks or months to restore your internet security.

With vigilance and a few precautions, you can reduce your risk of falling for a spear phishing attack.

Copyright © 2023 NortonLifeLock Inc. All rights reserved. NortonLifeLock, the NortonLifeLock Logo, the Checkmark Logo, Norton, LifeLock, and the LockMan Logo are trademarks or registered trademarks of NortonLifeLock Inc. or its affiliates in the United States and other countries. Firefox is a trademark of Mozilla Foundation. Android, Google Chrome, Google Play and the Google Play logo are trademarks of Google, LLC. Mac, iPhone, iPad, Apple and the Apple logo are trademarks of Apple Inc., registered in the U.S. and other countries. App Store is a service mark of Apple Inc. Alexa and all related logos are trademarks of, Inc. or its affiliates. Microsoft and the Window logo are trademarks of Microsoft Corporation in the U.S. and other countries. The Android robot is reproduced or modified from work created and shared by Google and used according to terms described in the Creative Commons 3.0 Attribution License. Other names may be trademarks of their respective owners.