What Is Spear Phishing (And Why You're Not Too Small to Be Targeted)

What Is Spear Phishing (And Why You're Not Too Small to Be Targeted)

Regular phishing is a numbers game. Send a million dodgy emails, hope a few thousand people click. Spear phishing is completely different — it's targeted, personalised, and surgical. And it's coming for businesses of every size.

What makes spear phishing different?

With regular phishing, the attacker knows almost nothing about you. They're casting a wide net.

With spear phishing, the attacker has done their homework. They know your name, your job title, your company, who your clients are, who your boss is, and sometimes even what you were working on last week. The email they send you is tailored specifically to you — and it's terrifyingly convincing.

How do they gather information?

LinkedIn is a goldmine for spear phishers. It tells them exactly who works where, what their role is, who their colleagues are, and sometimes even what projects they're working on.

Facebook, Instagram, and Twitter can reveal personal details — a recent holiday, a family event, a local sports team — that make a personalised scam email feel even more authentic.

Company websites often list staff, departments, and even email address formats. If they know your MD is "john.smith@yourcompany.com.au," they can work out the email format for every other staff member.

A real-world example:

An attacker researches a Melbourne-based accounting firm on LinkedIn. They find that a junior accountant recently started and is assisting a senior partner with a client called "Apex Constructions."

The attacker sends an email to the junior accountant that says: "Hi [Name], just following up on the Apex file — can you resend the client portal login? I've lost access." Signed: [Senior Partner's Name].

It's plausible. It's timely. It uses real names. And if the junior accountant doesn't verify it by walking down the hall or making a quick call, they might just hand over exactly what the attacker wants.

Why "we're too small to be targeted" is a myth

Spear phishing attacks have increased significantly against SMBs specifically because criminals know that small businesses have:

• Less rigorous security processes
• Less IT oversight
• Staff who wear multiple hats and don't have time to second-guess every email
• Access to payment systems, client data, and banking credentials

You don't need to be a big corporation to be worth attacking.

How to protect your business:

• Verify unusual requests in person or by phone. No matter how authentic an email looks, if it's asking for credentials or payment, pick up the phone.
• Limit what you share publicly. Audit your company website and social media for details that could be used against you.
• Train your team on personalised scams. Staff need to know that phishing isn't always generic — sometimes it knows your name.
• Use multi-factor authentication (MFA). Even if credentials are stolen via spear phishing, MFA stops criminals from using them.

The best defence is a sceptical team

Not paranoid — sceptical. A team that knows to pause, question, and verify before acting on unusual requests is worth more than any piece of security software.

Build that team with Phishbate — free training for everyone →