Phishing and spear phishing get used almost interchangeably, but they describe two genuinely different levels of threat, and knowing the difference helps explain why some attacks are far harder to spot than others.
Phishing: cast a wide net
Standard phishing is generic. The attacker sends the same email to thousands of people, impersonating a recognisable brand — a bank, a delivery company, Microsoft — hoping a small percentage of recipients click a malicious link or hand over login details. The email isn’t written for any specific person; it’s written to work on as many people as possible.
Spear phishing: a targeted attack
Spear phishing is personal. The attacker researches a specific individual or business beforehand — your name, your role, your colleagues, a recent project, a supplier you actually work with — and builds an email specifically designed to look credible to you. It might appear to come from your own MD, referencing something genuinely relevant to your business. This is far harder to spot than generic phishing, because the usual red flags (a stranger’s name, an unrelated company, generic greetings) simply aren’t present.
How to tell them apart
- Personalisation. Spear phishing references real, specific details — your name, your job title, a genuine project or colleague. Generic phishing casts a wide net with no personal detail at all.
- Sender authenticity. Spear phishing often uses a spoofed or compromised genuine-looking address, sometimes impersonating someone you actually work with. Generic phishing more often uses an address that’s close to, but not quite, a legitimate one.
- The payload. Spear phishing attachments and links are tailored to look relevant to the target’s actual work. Generic phishing tends to use broader, less specific bait.
How we protect against both
Email defence. We filter phishing attempts before they reach the inbox, including sender authentication checks (SPF, DKIM, DMARC) that make it significantly harder for an attacker to convincingly impersonate your own domain or a supplier’s domain — one of the key techniques behind a convincing spear phishing attempt. See our Email Defence Services page.
Multi-factor authentication. Even if a spear phishing attempt successfully captures a password, MFA stops the attacker getting any further without the second verification step. This remains one of the most effective protections against the consequences of a successful attack. See our MFA vs 2FA page for our full position on this.
Web-level threat blocking. Malicious links, however convincing the surrounding email, still need to connect to a malicious destination. DNS filtering blocks that connection before it loads. See our DNS Security page.
Security awareness training. Spear phishing specifically relies on a target trusting a personalised, convincing message. Training — including phishing simulations — helps your team build the habit of verifying unusual or urgent requests through a separate channel, regardless of how legitimate the message looks. See our Cybersecurity Awareness Training page.
Patching and updates. Spear phishing payloads sometimes rely on exploiting unpatched software. Automatic, tested patching closes that gap.
One monthly fee. One number to call.
The day-to-day risk of a convincing, personalised email catching someone out becomes our job too — not yours alone.
