What is spear phishing?

Though it might sound like a fun activity for a tropical vacation, spear phishing actually refers to a targeted, electronic attack on your personal information.

To understand spear phishing, you first must understand phishing itself. Phishing is when an entity makes a fraudulent attempt to learn your usernames, passwords, bank information, or other personal details by making itself appear trustworthy. While phishing attacks are typically generic and non-targeted, spear phishing is an updated type of online scam that is tailored to its target.

If you think an email seems suspicious, it’s best to investigate further. Read on for tips on how to identify and combat spear phishing attacks.

What is spear phishing?

There’s a lot of information about you on the Internet. Each time you make a social media post or fill out a BuzzFeed quiz, for example, more of your personal information is uploaded to the web. Before you know it, things from your hometown to your pet’s name might have found its way online.

Spear phishers find and use this data to make themselves appear trustworthy and get you to give them more of your personal information. Once they have enough information, they send you an email. While some spam emails are easily identified, spear phishing emails may be less so. They might genuinely look like an email from a friend, your boss, or a store you like to visit.

Spear phishing vs. phishing

Phishing attacks are relatively low stakes, and usually easier to recognise than spear phishing attacks. Phishing emails are sent to hundreds of recipients simultaneously and they do not contain personal information.

Spear phishers will pose as a friend, boss, family member, or social media organization to gain your trust and fool you into giving them your information. These emails are well-researched and personal, making it harder to distinguish between what is real and what is fake.

Spear phishing vs. whaling

While spear phishing may target “smaller fish” like a mid-tier company employee or a random target chosen on social media, whaling goes after the “big fish.” These attacks often target C-suite executives like CEOs or CFOs to attempt to gather larger payouts and more sensitive data.

While spear phishers may pose as your boss or friend, those conducting whaling attacks will email a company’s executive posing as an employee with a question or a client asking for an invoice to get the information they want.

How to identify a spear phishing attack

Though a spear phishing email looks generally like a regular email from a friend or business, there are several ways to mark it as something more sinister.

  1. Check the sender address: Phishers can usually mimic the name of a person or organization you get emails from regularly, but might be unable to perfectly mimic their tone. If you think an email might be suspicious, check the sender’s email address — typically, there will be subtle changes, such as the letter “o” replaced with a “0.”
  2. Verify links:  If the email includes a hyperlink, a quick way to check its legitimacy is to hover over the URL. Once your mouse is hovered over the link, the full URL that is being linked to will appear. If it seems suspicious, don’t click it.
  3. Make a phone call:  In some cases, you might be fooled by a phishing email that is posing as a friend or trusted person. In these cases, if you think it’s odd that a friend would be emailing you to ask for your password or username, it could be best to give them a call and ask if it’s legit. Keep in mind, you shouldn’t share passwords or usernames.

How to protect yourself against spear phishing

Spear phishing might be more deceptive and savvier than the phishing of old, but many of the same kinds of protections apply. Being aware and using caution online can help you protect yourself and your information.

  • Avoid providing personal information: Never give out more information than you need to online.
  • Boost security settings: Many platforms allow you to boost your social media privacy so your account is private and protected. Doing so means you’re giving spear phishers less information to fool you with.
  • Sign up sparingly: Don’t sign up for apps on social networks unless they’re absolutely necessary and come from reputable sources. Remember that even reputable apps are vulnerable to attack.
  • Be smart with your passwords: Use strong passwords and vary your passwords across accounts. Password management apps can generate strong passwords and store them for you, so all you have to do is unlock the app to get into your account.
  • Keep your software updated: Make sure your internet security and operating system are up to date. When your applications are up to date, it’ll make it harder for a spear phisher to get through.

What to do if you click on a phishing link

It’s easy to get duped by spear phishing attacks. If you do click on a phishing link in an email or downloaded a suspicious attachment, here’s what to do next:

  • Disconnect from the internet: Turning off your Wi-Fi or pulling out your ethernet cable can help stop the immediate spread of the malware.
  • Backup your files: It’s smart to frequently back up your files, but in the event of an attack it becomes more crucial. Backup your important files to an external source so you’ll still have them if the cybercriminal deletes your data.
  • Change your passwords: Once a hacker gains access to one of your accounts, they can work their way through others. If you think an account has been compromised, change all of your passwords as soon as possible and consider opting for two-factor authentication where possible to practise good password security.
  • Scan your hardware: Using security software can help identify and eradicate the threat.

Becoming the victim of a spear phishing attack can feel invasive and unsettling, on top of leaving you with the clean-up task. It could take weeks or months to restore your internet security.

With vigilance and a few precautions, you can reduce your risk of falling for a spear phishing attack.

Editorial note: Our articles provide educational information for you. NortonLifeLock offerings may not cover or protect against every type of crime, fraud, or threat we write about. Our goal is to increase awareness about cyber safety. Please review complete Terms during enrollment or setup. Remember that no one can prevent all identity theft or cybercrime, and that LifeLock does not monitor all transactions at all businesses.

Copyright © 2023 NortonLifeLock Inc. All rights reserved. NortonLifeLock, the NortonLifeLock Logo, the Checkmark Logo, Norton, LifeLock, and the LockMan Logo are trademarks or registered trademarks of NortonLifeLock Inc. or its affiliates in the United States and other countries. Firefox is a trademark of Mozilla Foundation. Android, Google Chrome, Google Play and the Google Play logo are trademarks of Google, LLC. Mac, iPhone, iPad, Apple and the Apple logo are trademarks of Apple Inc., registered in the U.S. and other countries. App Store is a service mark of Apple Inc. Alexa and all related logos are trademarks of, Inc. or its affiliates. Microsoft and the Window logo are trademarks of Microsoft Corporation in the U.S. and other countries. The Android robot is reproduced or modified from work created and shared by Google and used according to terms described in the Creative Commons 3.0 Attribution License. Other names may be trademarks of their respective owners.