What is spear phishing?

Key takeaways

• Spear phishing is one message written for one person, not a mass campaign.
• The attacker uses public information about the target (role, projects, vendors, communication style, timing) to construct a message that looks routine.
• It is the dominant initial-access vector in incidents affecting mid-market manufacturers in 2026.
• Email filters catch some attempts, but well-crafted spear phishing is structurally indistinguishable from legitimate correspondence; filters alone are not a defense.
• Defense is a layered system: workflow controls, phishing-resistant authentication, post-compromise detection, and continuous adaptive simulation against named people.

How does a spear phishing attack work?

A spear phishing attack runs through four stages. None of them require advanced tooling; what changes the success rate is the quality of the reconnaissance.

1. Reconnaissance. The attacker builds a profile of the target: name, role, tenure, recent projects, known vendors, recent travel, recent press appearances, the executive they report to, the executive who reports to them, and the way they write. Sources are public: LinkedIn, the company website, SEC filings, podcast appearances, conference speaker pages, GitHub, employee personal social media, and breach corpora. See What is OSINT (open-source intelligence)?.

2. Pretext construction. The attacker decides what the message will pretend to be: a vendor invoice with a payment instruction change, a wire request from the CEO before a flight, a DocuSign for a contract under negotiation, an MFA reset request from the help desk. The pretext is chosen to match the target's normal workflow.

3. Lure delivery. The message goes out. Infrastructure choices matter: lookalike domain, mailbox warmed for weeks, SPF/DKIM/DMARC aligned where possible, send time matched to the target's typical activity hours. Inline images and HTML can be tuned to defeat link-rewriting and sandboxing.

4. Payload. What the message asks the target to do. The four most common payloads in mid-market manufacturer incidents: enter credentials into a forged Microsoft 365 page, approve an OAuth consent grant (What is consent phishing (OAuth phishing)?), open an attachment that executes a benign-looking macro or loader, or perform a workflow action (change a vendor's bank account, approve a wire, reset a password).

A well-executed spear phish from the target's perspective is indistinguishable from a routine work message. That is the defining property.

Spear phishing vs phishing vs whaling: what the differences mean operationally

The terms are often used interchangeably. The operational distinction matters because the defenses are different.

• Phishing. Mass campaign, generic content, untargeted. "Your package is delayed", "Your mailbox is full", "Your invoice is attached". Detection mostly works because the content patterns and sender infrastructure are reused across hundreds of thousands of recipients.
• Spear phishing. Targeted, written for one person, content specific to that person's role and context. Detection patterns are weaker because the message is not part of a campaign; the infrastructure and content are bespoke.
• Whaling. Spear phishing aimed at executives. Same techniques, higher stakes. Often paired with voice cloning or a deepfake CEO scam to add a second channel of pressure.

A mid-market manufacturer typically sees mass phishing in volume (filters handle most of it), spear phishing in waves aligned to its visible business calendar (earnings windows, vendor cycles, hiring periods), and whaling against named executives several times a year. The relative volume looks small; the per-attempt impact is what matters.

Why mid-market manufacturers are high-value spear phishing targets

Three structural reasons:

1. High dollar value, low security maturity. A 200-person manufacturer with $50 million in revenue processes hundreds of vendor payments monthly. The wire-fraud yield per successful spear phish is high. Compared to a Fortune 500 with similar payment volume, the security stack is usually thinner and the defending team smaller.
2. Visible business context. Manufacturers participate in trade shows, run case-study marketing, publish executive bios, and disclose customer relationships. The information needed to construct a believable pretext is published as marketing.
3. Supply-chain leverage. A successful spear phish at a mid-market supplier can be the foothold for a much larger attack at a prime contractor or downstream customer. The attacker's economic motive includes both the direct target and the next hop. See What is a supply chain attack?.

The combination produces an attack-economics curve where mid-market manufacturers are the highest-yield-per-effort segment for spear phishing operators. The volume of attempts against any specific organization is below what a Fortune 500 sees, but the success rate per attempt is materially higher.

Examples of spear phishing attacks against industrial companies

Patterns ARG sees repeatedly in mid-market manufacturer engagements:

• Vendor invoice with two-digit bank change. A real, recurring vendor's invoice is duplicated with a single bank-account digit changed. The lookalike domain matches the vendor's. AP processes the payment in the normal cycle. Detection happens when the real vendor follows up about non-payment, weeks later. See What is business email compromise (BEC)?.
• DocuSign envelope for a real contract. The target is in active contract negotiation with a vendor. A forged DocuSign envelope arrives at the expected step in the negotiation. The credential prompt at the "view document" step harvests Microsoft 365 credentials and MFA. The mailbox is compromised within ten minutes.
• Wire request from CEO before a flight. Spear phish to the CFO referencing a known industry event the CEO is attending. The message references a real, contemporaneous business situation (an acquisition discussion, a customer escalation). Often paired with a voice cloning call to confirm.
• MFA reset request to the help desk. A spear phish targeting a help desk technician, written in the voice of an executive caught out before a meeting. The credential is reset; the attacker logs into the executive's account. See What is MFA fatigue (push bombing)?.
• OAuth grant for "Document Management". A target in engineering receives a believable-looking request to grant permissions to a "Document Management" app from what appears to be IT. The grant gives the attacker offline_access and Files.Read.All scopes. The compromise is not detected by MFA because the attack does not need to log in. See What is consent phishing (OAuth phishing)?.

Each example shares the same structural property: the message is contextually plausible given visible business reality. Detection requires more than spam filtering.

How to recognize a spear phishing attempt

For an individual reader who is wondering whether a specific message is a spear phish, six checks help:

1. Does the request bypass normal workflow? A wire transfer that skips the two-person approval process, a password reset that does not follow the documented ticketing path, a vendor change submitted outside the procurement system. Workflow bypass is the most reliable signal.
2. Is the urgency manufactured? "Before close of business", "before my flight", "regulatory deadline today". Time pressure is the most common pretext tool because it suppresses verification.
3. Is the channel switching unusual? Email asking the target to switch to SMS, voice, or a third-party tool. Channel switching takes the conversation outside any system that logs it.
4. Does the sender domain match the displayed name? Hover and check. Lookalike domains (rn for m, 1 for l, .co instead of .com) are common; the displayed name in many email clients hides the actual domain.
5. Does the sender's writing match prior messages from this person? If the target has correspondence history with the apparent sender, structural differences in tone, sign-off, or vocabulary often surface.
6. Is the recipient list anomalous? A message sent to one person that would normally go to a thread or distribution list, or a message sent to a thread that has not been used in months.

For an organization, no single check defeats spear phishing. The defenses work in layers; the individual checks are useful, but the program is what matters.

Best practices for defending against spear phishing

1. Phishing-resistant authentication. FIDO2 and passkeys close the credential-harvesting payload entirely. See What is phishing-resistant MFA?.
2. Workflow controls for high-loss actions. Wire transfers, vendor changes, payroll diversions, and contract executions need two-person, out-of-band approval that cannot be defeated by a single compromised mailbox. The control belongs in the ERP and the procedure, not in the email gateway.
3. OAuth governance. Microsoft 365 and Google Workspace app consent policies need to restrict high-scope grants to administrator approval. Periodic OAuth grant audits catch grants users do not remember authorizing.
4. Continuous post-compromise detection. Mailbox rule changes, anomalous logon patterns, OAuth grants, and out-of-policy delegated access are the first observable signals of a successful spear phish. Identity telemetry needs alerts on each of these.
5. Adaptive simulation, not scripted training. Annual phishing-awareness campaigns produce metric drift. Adaptive simulation keeps the signal alive by rotating pretext, channel, and timing per round.
6. High-risk role training. AP, payroll, HR, and IT help desk handle the actions a spear phish is trying to drive. Specific role-based playbooks for the common attack patterns (vendor change, wire approval, password reset, OAuth grant) lower the success rate measurably.
7. Incident response readiness. Assume a spear phish will succeed; the response time determines the loss. See What is an incident response plan (IRP)?.

Spear phishing FAQs

How is spear phishing different from a regular phishing email?

Regular phishing is a mass campaign; spear phishing is one message written for one person. A spear phish uses the recipient's name, role, vendor relationships, current projects, communication style, and timing context (a recent earnings call, a known vendor visit) to make the message believable in a way a generic phish cannot.

Can email filters stop spear phishing?

Filters catch some of it, especially when the sender infrastructure is reused or the payload matches a known pattern. They do not catch most well-crafted spear phishing, because the message is structurally indistinguishable from legitimate correspondence. Effective defense combines filtering with phishing-resistant MFA, workflow controls, and continuous detection of post-compromise behavior.

What signs indicate an account has been compromised by spear phishing?

Unexpected mailbox rules (forwarding, filtering, or marking-as-read), OAuth grants the user does not remember authorizing, logon events from unusual geographies, contacts receiving unusual messages from the user, and changes to recovery information. Continuous detection on identity telemetry catches most of these within hours.

How often should spear phishing simulations run?

Continuously, with technique and pretext varied per round so the workforce sees a moving target rather than a memorized template library. Once-a-year campaigns produce vanity metrics; adaptive simulation produces detection improvement.

How ARG simulates spear phishing against named employees

ARG runs spear phishing simulation as a continuous, adaptive component of every engagement. It is paired with vishing, OAuth-grant testing, and (during on-site engagement years) physical pretext entries.

The simulation is built and operated by James Wall on infrastructure ARG owns. For each client, the system maintains a refreshed OSINT profile of the organization and a named set of employees (executives, finance, IT, plant managers, vendors with elevated access). The first lure rounds launch after a short observation period during which baseline communication patterns are recorded.

Pretext, lure family, channel, and timing rotate per target per round. A finance lead does not see the same vendor-invoice variant twice. An IT technician does not see the same help-desk-impersonation twice. An executive does not see the same wire-pretext from the same internal voice twice. Each test is logged: when it landed, what the recipient did, what detection fired, how the response routed. See What is AI-personalized spear phishing? for the lure-generation details.

Findings land in the monthly operational packet: who was tested, what was tried, what happened, where the workflow held and where it did not. The quarterly review tracks trend over time: detection improving, drift surfacing, controls measurably working under contact.

For founding clients, spear phishing simulation is part of the monthly retainer alongside vishing, continuous penetration testing, and on-site physical engagements. Pricing is locked for two to three years.

Apply as a founding client or see how the engagement works for the full delivery cycle.