Phishing and spear-phishing are both "social engineering" cyberattacks. In both types of attacks, a cybercriminal impersonates a trustworthy person and tricks their target into revealing login credentials, installing malware, or making a wire transfer.
This is a summary of the similarities and differences between phishing and spear-phishing.
Think of it this way:
- Phishing is like catching fish using a line — you cast your rod into the water and see what bites.
- With spear-phishing, you choose the fish you want and aim the spear right at it.
Note: This distinction is a big deal, affecting how you detect, mitigate, and prevent both types of attacks.
What is phishing?
As we explained in our article "What Is Phishing?" the term "phishing" can mean two things:
- An umbrella term covering many types of cyberattacks
- A specific type of cyber attack: an untargeted social engineering attack conducted via email
Join 30,000+ fundraising professionals that receive our weekly Sunday newsletter with industry trends, tips, and analysis delivered right to your inbox
In the first instance, "phishing" can refer to cyberattacks including:
- Business Email Compromise: A phishing attack utilizing an impersonated, spoofed, or hacked business email address
- Wire transfer phishing: A phishing attack that attempts to trick the target into making a fraudulent transfer to the attacker
- Smishing: Phishing via SMS
- Vishing: Phishing via voice, e.g., phone or VoIP software
In the second, specific sense, phishing means a social engineering attack (conducted via email) with no particular target.
We sometimes call this "spray-and-pray" phishing. The cybercriminal sends as many emails as they can in the hope that someone falls for their scam.
But don't be fooled: phishing attacks aren't necessarily amateurish operations.
What is spear-phishing?
Spear-phishing is a targeted phishing attack. The target receives an email that addresses them directly — by name.
Any targeted phishing attack is a "spear-phishing" attack, including:
- Whaling: A spear-phishing attack targeting company executive
- CEO fraud: A spear-phishing attack where the fraudster impersonates a company's CEO and targets another company's employees.
But spear-phishing is broader than this: if a Business Email Compromise attack, wire transfer phishing attack — or any other type of phishing attack — targets a specific individual, it's a spear-phishing attack.
Phishing vs. spear-phishing examples
There are certain things you can look for to identify if an email is a phishing or spear-phishing attempt.
First, many email providers will warn you if the sender is impersonating someone else. In this case, the sender was claiming to be from a different company than the reflected domain.
In this case, the attacker is impersonating Netflix. Make sure to check the domain name on any emails that look strange. Changes can be subtle, like using the domain "@netfIix.com" replacing the "L" with an upper-case "I".
This would be an example of a "bulk" phishing email. These attacks don't address the target by name or contain any personal information. But, because it appears to come from a trusted brand (Netflix), there is still a chance of success.
This is an example of a targeted spear-phishing attack. In this case, the attacker is impersonating the target's colleague.
This is an example of a spear-phishing email: CEO fraud, to be precise. The attacker has exploited a professional relationship to elicit feelings of urgency and trust — the CEO urgently needs a favor and requests an employee to pay an invoice to an unknown account. But the "CEO" is a cybercriminal who controls the "new account."
These examples should help you better understand the difference between phishing and spear-phishing:
- Phishing succeeds by sheer volume: send a fraudulent email out to enough people, and someone will fall for it eventually.
- Spear-phishing succeeds through more sophisticated methods: send one fraudulent email containing personal information to a specific individual.
UP NEXT: Why People Fall For Phishing Attacks