Spear phishing is the precision version of the broad phishing campaigns that fill spam folders. The lures are crafted for a specific recipient or small group, the content reflects real research on the target and the technical indicators that standard filters rely on are deliberately minimised. The result is messages that reach the inbox, look legitimate to even careful recipients and produce successful compromises at rates that should worry every security team.
Volume Based Detection Does Not Catch Targeted Attacks
Email security platforms classify messages partly on volume signals. A campaign that sends the same lure to thousands of recipients triggers volume based detection. A spear phishing campaign that sends a single message to one carefully chosen target sits beneath the threshold. The signals that defend against high volume phishing are largely absent in targeted campaigns. A focused external network pen testing engagement should include targeted phishing scenarios that mirror the volume profile of a real spear phishing operation.
Contextual Lures Use Real Research
Modern spear phishing draws on real corporate information. LinkedIn profiles for the target and their colleagues. Company news that explains recent organisational changes. Social media that reveals personal context. Public filings that describe ongoing business activity. The lure is plausible because the underlying context is real. The recipient cannot easily verify the message by external research because the external research supports the legitimacy of the surrounding details.
Expert Commentary
William Fieldhouse, Director of Aardwolf Security Ltd
The spear phishing emails that worked against clients in the last year all referenced real internal projects, real colleagues by name, real ongoing initiatives. None of that information was secret. It came from press releases, conference appearances and social media. The defensive lesson is that you cannot reduce the attacker information base. You can only invest in controls that survive the attacker having that information.
High Risk Roles Deserve Stronger Protection
Finance, legal and executive roles attract disproportionate spear phishing attention because they hold information or authority worth stealing. Apply stronger controls to these roles. Phishing resistant hardware tokens. Mandatory mobile device management. Browser isolation. Tighter conditional access policies. The investment is targeted, the population is small and the protection is meaningful. Worth refreshing the threat model for high risk roles periodically. The threat actor capabilities evolve, and the controls that worked two years ago may not be sufficient today. The cost of refreshing the controls is far lower than the cost of a successful targeted attack on a senior executive.
Technical Controls Behind The Click
Because no realistic detection layer will catch every targeted message, the controls behind the inevitable successful phish matter more than ever. Phishing resistant MFA. Conditional access that flags unusual sign-in contexts. Endpoint detection capable of catching post-compromise activity. Browser isolation for high risk users. Each of these reduces the consequences of a click even if the click itself was inevitable. Combine these with a periodic vulnerability scan services that exercises the post-compromise scenarios and the picture improves.
Spear phishing succeeds because it is well researched, well written and well targeted. The defence has to assume some messages will work. Spear phishing succeeds because it is well prepared. The defensive answer has to be equally prepared. Improvisation rarely wins against patient attackers. Phishing is one of those threats that combines social and technical elements in ways that pure technical defences cannot fully address. The combination of cultural and technical investment produces measurably better outcomes than either approach pursued in isolation.