Spear Phishing vs Phishing: What's the Difference?

By Ṣọ Email Security4 min read

Understand the critical difference between phishing and spear phishing. Learn the Scale Test framework to identify targeted attacks before you click, reply, or pay.

PhishingSpear PhishingBusiness Email CompromiseEmail SecuritySocial EngineeringTargeted Attacks

Spear Phishing vs Phishing: what's the difference?

2025-12-16

Last week, a startup founder wired $28,000 to a fraudster.

The email didn't look suspicious. No bad grammar. No strange links. No sense of "this is a fraud."

That's because it wasn't phishing.

It was spear phishing.

Most people lump all email frauds together, but there's an important difference. Understanding it could save you from becoming the next victim.

Phishing: the wide net

Phishing is the email equivalent of spam calls. Attackers send the same message to thousands, sometimes millions, of people hoping a small percentage will bite.

You've seen these:

  • "Your package couldn't be delivered. Click here to reschedule."
  • "Unusual sign-in detected. Verify your account immediately."
  • "Your Netflix subscription has expired. Update payment now."
  • "IT Department: Password expires in 24 hours. Reset here."

These emails work through volume. Send a million messages, and even a 0.1% success rate yields 1,000 victims.

The characteristics:

  • Generic greetings ("Dear Customer" or "Dear User")
  • Mass-applicable scenarios (everyone has packages, passwords, subscriptions)
  • Obvious urgency and threats
  • Often contains spelling errors or awkward phrasing
  • Links to fake login pages that harvest credentials

The good news: Email filters are increasingly effective at catching these. Gmail and Outlook block billions of phishing attempts daily using pattern recognition, link analysis, and sender reputation.

Spear Phishing: the targeted strike

Spear phishing is different. It's crafted for one person or one company. The attacker has done their homework.

They know:

  • Your name and role
  • Your coworkers and reporting structure
  • Your vendors and clients
  • Your current projects and deadlines
  • Your communication patterns

Then they send one message that blends perfectly into your day.

Real examples:

  • An email from your "CEO" asking you to wire funds for a confidential acquisition
  • A message from your "vendor" with updated bank details for an invoice you're actually expecting
  • A request from "HR" asking you to review an attached document about your benefits
  • A note from a "client" with a link to review project files on a shared drive

The email looks legitimate because it references real things in your life. The sender address might be spoofed or might come from a lookalike domain (yourcompany.co instead of yourcompany.com).

Why filters miss these:

  • No malicious links (just a reply-to address)
  • No malware attachments (just a convincing PDF invoice)
  • No mass distribution pattern to trigger spam detection
  • Proper grammar and professional tone
  • Context that matches your actual business

The scale test

Here's a simple framework to distinguish between the two:

Ask yourself: Could this same email be sent to 10,000 people?

If yes, it's probably phishing. The message is generic enough to apply to anyone with an Amazon account, a bank, or an email password.

If no,if it only makes sense for you specifically, that's spear phishing. And that's the dangerous one.

A message about "your order" could go to anyone. A message about "the Q3 invoice from Acme Corp that we discussed last Tuesday" was written for you.

Why spear phishing is rising

Targeted phishing continues to grow because it works.

The economics favour attackers:

  • One successful spear phishing attack can yield tens of thousands of dollars
  • The research investment (hours of LinkedIn browsing) pays off at higher rates
  • Victims are often senior employees with authority to move money or access sensitive data

Information is freely available:

  • LinkedIn reveals org charts and job titles
  • Company websites list team members and vendors
  • Press releases announce deals and projects
  • Social media shows who's travelling, who's new, who's leaving

AI makes it easier:

  • Large language models help attackers write convincing emails in any language or style
  • Automation tools can personalise messages at scale
  • Voice cloning adds phone call verification to the scam

Who gets targeted

While anyone can receive phishing, spear phishing targets specific roles:

Finance teams - They control payments and can wire funds directly

Executive assistants - They have access to calendars, contacts, and often act on behalf of executives

HR departments - They handle sensitive employee data and W-2 forms

IT administrators - They have elevated system access and credentials

New employees - They're still learning processes and less likely to question unusual requests

Anyone handling vendor relationships - They expect invoices and payment discussions

If you're in one of these roles, you're a higher-value target. Act accordingly.

How to protect yourself

Slow down on urgent requests

Spear phishing relies on urgency to bypass critical thinking. Any email pushing immediate action, especially involving money, credentials, or sensitive data deserves a pause.

Ask: Why does this need to happen right now? Who benefits from me not verifying?

Verify through a second channel

Before acting on any significant request, confirm through a different communication method:

  • Call the sender using a number you already have (not one in the email)
  • Send a separate message via Slack or Teams
  • Walk to their desk if they're in the office
  • Start a new email thread rather than replying

A quick verification call takes thirty seconds. Recovering from fraud takes months.

Examine sender details carefully

Don't trust the display name. Look at the actual email address:

Train yourself to hover over sender names and check the full address.

Establish verification procedures

For sensitive actions, create processes that assume email can be faked:

  • Payment changes require verbal confirmation
  • Wire transfers need two-person approval
  • Vendor bank detail updates go through a verification call
  • Password resets happen through IT directly, not email links

Documented procedures protect everyone, especially when attackers create time pressure.

What Ṣọ catches

Standard email filters look for known bad patterns: malicious links, dangerous attachments, spammy senders.

Spear phishing often contains none of these. The email is just text, asking for something reasonable, from someone who appears trustworthy.

Ṣọ Email Security focuses on what filters miss:

  • Sender analysis that flags impersonation attempts and lookalike domains
  • Context awareness that identifies unusual requests based on your communication patterns
  • Document comparison that catches invoice modifications and fraudulent attachments
  • Real-time alerts before you click, reply, or pay

The filter catches the obvious. Ṣọ catches the convincing.

The Bottom Line

Phishing and spear phishing are different threats requiring different defences.

Phishing is a numbers game. Spear phishing is a confidence game.

Filters handle the first. Awareness and verification handle the second.

Your takeaway today: Any email that feels personal, routine, and urgent deserves a pause.

Before clicking, replying, or paying, verify through a second channel. A quick message or phone call beats a perfectly written email.

Try Ṣọ Email Security free →