Tessian’s mission is to secure the human layer by empowering people to do their best work, without security getting in their way.
Phishing and spear phishing are both “social engineering” cyberattacks. In both types of attacks, a cybercriminal impersonates a trustworthy person and tricks their target into revealing login credentials, installing malware, or making a wire transfer.
Phishing is “bulk”, targeting hundreds and even thousands of people at once; spear phishing is targeted.
Think of it this way:
Note: This distinction is a big deal, affecting how you detect, mitigate, and prevent both types of attacks.
As we explained in our article “What Is Phishing?,” the term “phishing” can mean two things:
In the first instance, “phishing” can refer to cyberattacks including:
In the second, specific sense, phishing means a social engineering attack (conducted via email) with no specific target.
We sometimes call this “spray-and-pray” phishing. The cybercriminal sends as many emails as they can in the hope that someone falls for their scam.
But don’t be fooled: phishing attacks aren’t necessarily amateurish operations.
Spear phishing is a targeted phishing attack. The target receives an email that addresses them directly — by name.
Any type of targeted phishing attack is a “spear phishing” attack, including:
But spear phishing is broader than this: if a Business Email Compromise attack, wire transfer phishing attack — or any other type of phishing attack — targets a specific individual, it’s a spear phishing attack.
Looking for more information about spear phishing? Check out this article: What is Spear Phishing? Targeted Phishing Attacks Explained.
Now we’re going to look at some phishing attacks and spear phishing attacks side-by-side so you can understand the differences.
The two emails below demonstrate the essential difference between phishing and spear phishing:
This is an example of a “bulk” phishing email. It doesn’t address the target by name and doesn’t contain any personal information. But, because it appears to come from a trusted brand (Netflix) someone is likely to click the link.
This is an example of a spear phishing email: CEO fraud, to be precise. The attacker has exploited a professional relationship to elicit feelings of urgency and trust — the CEO urgently needs a favor and requests an employee to pay an invoice to an unknown account. But the “CEO” is a cybercriminal who controls the “new account.”
These examples should help you better understand the difference between phishing and spear phishing:
We explore phishing, spear phishing, and other social engineering attacks in greater detail in the following articles: