Email Security Blog

Spear Phishing Emails: What They Are & How to Prevent Them

John Wilson November 5, 2021 Business Email Compromise, Email Security, Phishing, Phishing Defense
Man with laptop with large red email warning screen pop up

Spear phishing is more focused than normal phishing. To protect against this type of phishing, your entire company will need to be educated and protected.

What is a typical spear phishing attempt?

A typical spear phishing attempt is a fraudulent personalized email that is usually sent with an attachment or requests a response. The fraudster then tries to entice the recipient to open the infected attachment or respond with personal information.

How a spear phishing attack works

Spear phishing is a highly targeted attack that first starts with an in-depth research phase. Attackers will spend time gathering information to use in the attack against the target company, such as stolen documents, email addresses, branded logos, and even details regarding the company structure.

Once this information is collected it is used to carefully craft a phishing email attempt to a specific target within the company. For instance, attackers can use the stolen information listed above to create an urgent sounding email coming from the head of the IT department. This email could urge readers to click a link and update their password.

Since the attackers spent the time to identify who the head of IT is, they can craft a much more believable phishing email to trick the recipient. Oftentimes these phishing emails are even more targeted to specific individuals inside an organization. Bad actors may create fake invoices and target the accounting department, knowing that they work with invoices daily.

Spear phishing attacks can be designed to steal company information, fraudulently wire money, or even encrypted company assets and hold them hostage. Payloads in phishing emails are usually hidden inside of innocuous looking links, or legitimate file attachments like PDFs or Microsoft Word files.

Links can either redirect to a malicious site where a PC gets infected, or more commonly to a fake cloned webpage that looks nearly identical to the real thing. When a user enters their information to login on this fake site, attackers can steal those credentials and then use them on the real platform.

Phishing email attachments work to steal the same information but do so by hiding a malicious payload that installs spyware on the target machine. Attachments are even more dangerous because they open the entire network to a host of different attacks, where a backdoor can be planted by an attacker for future access.

How to identify a spear phishing email

Spear phishing exploits trust within an organization in a very calculated way, making it one of the more difficult types of attacks to identify for the untrained eye. Having a dedicated phishing response system in place can stop spear phishing emails before they ever reach an inbox.

There are a few ways you can identify a phishing email:

Check the From field in the email closely. Spear phishers will use names and domains that look very similar to a trusted sender. They often contain slight misspellings that are hard to spot at a glance

Be wary of urgent sounding emails. If an email sounds threatening or makes you feel a bit panicked, slow down and review the email. Attackers use fear to get victims to click malicious links and download malware without giving the email a second thought.

Use caution when clicking links. Links inside of phishing emails can be carefully crafted to look legitimate. Always verify the sender and inspect the link closely by hovering your mouse over the hyperlink.

When in doubt, call the sender. If you don’t have the ability to have an IT professional review the email, give the alleged sender a call from a verified phone number that isn’t in the email signature. A quick call can help avoid a company breach.

Spear phishing vs phishing – What’s the difference?

The goal of any phishing attack is always the same, the only difference between spear phishing and phishing is the strategy used to trick people into giving up their information.

Regular phishing, or email phishing uses a shotgun approach to try and steal information. An attacker emails thousands of recipients with a bogus message in hopes that a few unlucky people will fall for the scam. Phishing casts a wide indiscriminate net to try and steal credentials.

Spear phishing takes the complete opposite approach and uses a highly targeted and precise attack against a specific company or individual, hence the word spear in the name. Research is used to craft the most believable email possible in hopes that the recipient will take it at face value.

These phishing emails take much more time and effort to create, so attackers normally only go after companies they view as lucrative enough to spend this time on. Large enterprise companies are usually at the top of the list, followed by fast growing medium sized companies, but no company is immune.

Common phishing variations

There are some slight variations in spear phishing attacks which have been given their own names based on the medium and strategies that are used to compromise recipients. Let’s look at some of the most common variations of phishing attacks.


Whaling takes the targeted nature of spear phishing and refines it even further to impersonate a CEO or senior staff member within an organization. Whaling is a form of phishing that exploits the power dynamics between authority figures in a company to trick and pressure other staff members into clicking on a malicious link, wiring funds, sending sensitive information, or opening a virus laden attachment.

Clone Phishing

Clone phishing is an especially devious type of phishing attack because it can use real previously sent email correspondence to look like a real email. Attackers either recreate or steal previously sent emails from the sending party, and then resend them from another account that looks similar to the real sender.

The new scam email will contain the old correspondence, but with an updated attachment that is malicious. The scammer may note that the attachment has been updated, or the first one was not correct.

How do I report a phishing email?

If you’ve entered information into a phishing email, or have been sent a phishing email, there are a few simple steps you can use to report it.

You can forward the email directly to the FTC Anti-Phishing Working Group at If the message was a text message you can forward it to SPAM (7726).

You can then report the phishing attack by visiting

Protecting against spear phishing emails

Protecting against phishing emails requires a consistent combination of phishing education and security planning to help prevent phishing emails while mitigating risk. Agari offers organizations an out-of-box solution to phishing defense that leverages artificial intelligence to identify, prioritize, and neutralize incoming phishing attacks.

Here are a few changes you can make to your environment to help stop spear phishing attacks:

Keep staff informed and educated. Implementing an educational phishing campaign program across an organization can help drastically reduce the number of phishing emails opened. This helps staff identify and report phishing emails and works as a first line of defense when other security measures are in place.

Enable two factor authentication (2FA). Two factor authentication provides an extra layer of protection that combines login credentials with something physical such as a smartphone or authenticator app. Even if a phishing email is opened and credentials are entered into it, the attacker will not be able to access the site if 2FA is enabled.

Tag emails that originate from outside your organization. Email server rules can be configured to label emails with a warning stating it came from outside of the company. This helps staff easily identify phishing attempts, even when the email is well crafted.

The Agairi advantage

Agari offers a turnkey solution to combat spear phishing email attacks through automatic threat response, remediation, and containment. The system utilizes both signature-based security as well as behavioral analysis to stop malicious files and bad actors at the same time.

If you’re looking to learn how to keep your business safe from phishing emails, see how Agari Phishing Defense works.


Laptop with multiple paddle locks with key holes

May 27, 2022 John Wilson

SMTPS: Securing SMTP and the Differences Between SSL, TLS, and the Ports They Use

What is the difference between SMTPS and SMTP? SMTPS uses additional SSL or TLS cryptographic protocols…

Agari Blog Image

May 18, 2022 Ramon Peypoch

What Is Email Spoofing and How Do You Protect Against It?

What is Email Spoofing? Email spoofing is one of the most common forms of cybercriminal…

Agari Blog Image

April 27, 2022 Monica Delyani

5 Big Myths about DMARC, Debunked

With email attacks contributing to billions of lost dollars each year, a growing number of…

Computer Showing Secure Email Server

March 9, 2022 John Wilson

Securing Your Email with DMARC

Understanding the What, How, and Why of DMARC You probably already know this, but it…

Agari Blog Image

December 16, 2021 John Wilson

Common Phishing Email Attacks | Examples & Descriptions

What does a phishing email look like? We've compiled phishing email examples to help show…

mobile image