Spear phishing is a targeted phishing attack tailored to a specific person, team, or job role. Instead of sending a generic scam message to many users, the attacker researches the target and writes a lure that feels relevant, such as a fake password reset, invoice, vendor notice, or executive request.
This matters because targeted messages are more convincing and often aim at people with privileged access, such as IT staff, finance teams, or managers who can approve changes. A successful spear phishing message can lead to credential theft, malware delivery, or fraudulent approvals that open access to email, cloud tools, or internal systems. Defenses focus on reducing the value of stolen credentials and on verifying unusual requests: phishing-resistant authentication, least-privilege access, out-of-band confirmation for sensitive actions, and monitoring for abnormal logins or admin changes. Good security awareness also helps by making verification a habit, especially when the message creates urgency.



