Most phishing is a wide net. Spear phishing is a targeted spear — a message written just for you, using real details, often aimed at the boss. Here is why it is so much harder to catch.
Most phishing is a numbers game. The same generic email — "your account needs attention" — goes to thousands of strangers, and the attacker profits if even a few bite. Spear phishing is the opposite. It's a single message, written for one person, using real details about them and their work. And when the target is a senior leader, it gets its own name: whaling. These are the attacks that fool careful people, because they're built to.
The difference is research
Ordinary phishing is easy to dismiss once you know the signs — the generic greeting, the odd address, the obvious bait. Spear phishing removes those tells by doing homework.
An attacker spends time learning about the target before writing a word. They read your company website, your LinkedIn, your social media, your press coverage. They learn who your suppliers are, what projects you're running, who reports to whom, and even your writing style. Then they craft a message that fits seamlessly into your real life: an email that references an actual project, appears to come from a real colleague, and asks for something that would be reasonable in that context.
There's no generic greeting, because it uses your name. There's no obvious bait, because the ask is plausible. The whole point is to look like a normal Tuesday.
Whaling: aiming at the top
Whaling targets the people with the most authority and access — owners, executives, finance leaders. There are two reasons. First, these people can authorize big actions directly: a wire transfer, a change to payroll, the release of sensitive data. Second, impersonating them is powerful, because a message that appears to come from the CEO carries weight that's hard to question.
A whaling attack might impersonate the executive (to pressure an employee) or target the executive (to take over their account and use it). Either way, the stakes are high, and the message is tailored to the specific person and their world.
Why it slips through
Spear phishing defeats both your filters and your instincts. Email filters look for known-bad patterns — mass campaigns, blacklisted links, malware. A one-off, well-written message to a single person often carries none of those signatures. And your gut, trained to spot clumsy scams, doesn't fire when the message is fluent, personalized, and contextually perfect.
The arrival of AI writing tools has made the language flawless and the research faster, which removes the last easy tells — the typos and awkward phrasing that once gave scams away.
How to defend against a tailored attack
Because you can't rely on spotting a tailored message by its wording, the defense shifts to process and verification.
- Verify the action, not the message. The reliable signal isn't how an email is written — it's what it asks for. Any request to move money, change bank or payroll details, or share sensitive data gets confirmed out-of-band, by a phone call to a known number, no matter how legitimate the email looks.
- Give executives extra protection, not less. The highest-access accounts deserve the strongest multi-factor authentication and the closest monitoring, precisely because they're the prime targets.
- Reduce what's public where you can. You can't hide your whole company, but being thoughtful about what your org chart, your processes, and your team reveal online raises the cost of research.
- Normalize verification for everyone, including the boss. Whaling works partly because nobody wants to question the CEO. A culture where confirming an unusual request is standard — even for leadership — removes that pressure.
The mindset to teach is simple: a message being personal and well-written is not evidence that it's safe. The request is what you verify.
These attacks usually end at a login page or a payment, so the surrounding settings shape the outcome. Tenant Strike reviews your Microsoft 365 in read-only mode and checks the controls that matter most for your highest-value accounts — whether multi-factor authentication is enforced for administrators and executives, whether your domain is easy to impersonate, whether a compromised mailbox could quietly forward or send mail. It's a quick, plain-English read on where a well-researched attack would land hardest.
AI-researched from public sources. We label AI-assisted writing — see our trust page.
See your own risk
Want this for your own Microsoft cloud?
Tenant Strike runs 100+ read-only checks across Microsoft 365 and Azure and hands you a plain-English fix for every gap. Start a 7-day Pro trial — no credit card.