Spear Phishing vs Phishing: How to Tell the Difference

Hooded figure at a computer representing a phishing cyber attack

Phishing and spear phishing get used almost interchangeably, but they describe two genuinely different levels of threat, and knowing the difference helps explain why some attacks are far harder to spot than others.

Phishing: cast a wide net

Standard phishing is generic. The attacker sends the same email to thousands of people, impersonating a recognisable brand — a bank, a delivery company, Microsoft — hoping a small percentage of recipients click a malicious link or hand over login details. The email isn’t written for any specific person; it’s written to work on as many people as possible.

Spear phishing: a targeted attack

Spear phishing is personal. The attacker researches a specific individual or business beforehand — your name, your role, your colleagues, a recent project, a supplier you actually work with — and builds an email specifically designed to look credible to you. It might appear to come from your own MD, referencing something genuinely relevant to your business. This is far harder to spot than generic phishing, because the usual red flags (a stranger’s name, an unrelated company, generic greetings) simply aren’t present.

How to tell them apart

  • Personalisation. Spear phishing references real, specific details — your name, your job title, a genuine project or colleague. Generic phishing casts a wide net with no personal detail at all.
  • Sender authenticity. Spear phishing often uses a spoofed or compromised genuine-looking address, sometimes impersonating someone you actually work with. Generic phishing more often uses an address that’s close to, but not quite, a legitimate one.
  • The payload. Spear phishing attachments and links are tailored to look relevant to the target’s actual work. Generic phishing tends to use broader, less specific bait.

How we protect against both

Email defence. We filter phishing attempts before they reach the inbox, including sender authentication checks (SPF, DKIM, DMARC) that make it significantly harder for an attacker to convincingly impersonate your own domain or a supplier’s domain — one of the key techniques behind a convincing spear phishing attempt. See our Email Defence Services page.

Multi-factor authentication. Even if a spear phishing attempt successfully captures a password, MFA stops the attacker getting any further without the second verification step. This remains one of the most effective protections against the consequences of a successful attack. See our MFA vs 2FA page for our full position on this.

Web-level threat blocking. Malicious links, however convincing the surrounding email, still need to connect to a malicious destination. DNS filtering blocks that connection before it loads. See our DNS Security page.

Security awareness training. Spear phishing specifically relies on a target trusting a personalised, convincing message. Training — including phishing simulations — helps your team build the habit of verifying unusual or urgent requests through a separate channel, regardless of how legitimate the message looks. See our Cybersecurity Awareness Training page.

Patching and updates. Spear phishing payloads sometimes rely on exploiting unpatched software. Automatic, tested patching closes that gap.

One monthly fee. One number to call.

The day-to-day risk of a convincing, personalised email catching someone out becomes our job too — not yours alone.

Book your free site survey or call +44 (0) 207 403 4031

FAQ

Common questions

What is the difference between phishing and spear phishing?

Phishing is generic — the same email sent to a large number of people, impersonating a recognisable brand and hoping a small percentage click a malicious link. Spear phishing is targeted — the attacker researches a specific individual or business beforehand and crafts a personalised, highly credible message designed specifically to deceive that target.

Why is spear phishing harder to spot than regular phishing?

Spear phishing emails reference real, specific details — a name, a job title, a genuine colleague or project — that make them look far more credible than a generic phishing attempt. The usual warning signs of generic phishing — a stranger’s name, an unrelated company, a generic greeting — simply aren’t present in a well-researched spear phishing attempt.

Who is most likely to be targeted by spear phishing?

Spear phishing often targets specific individuals with access to valuable information or financial authority — finance staff, senior managers, or anyone who regularly approves payments or has access to sensitive data. Attackers research their target’s role and relationships beforehand to make the attack as convincing as possible.

Can multi-factor authentication protect against spear phishing?

Yes, significantly. Even if a spear phishing email successfully tricks someone into entering their password, MFA prevents the attacker from accessing the account without completing a second verification step. This remains one of the most effective protections against the consequences of a successful phishing attempt, regardless of how convincing the original message was.

What should someone do if they suspect they’ve received a spear phishing email?

Don’t click any links or reply directly. If the email claims to be from a colleague or supplier requesting something unusual, verify the request through a separate, known communication channel — a phone call to a number you already have, not one provided in the email. Report the email to your IT support team immediately so any related accounts can be checked.

Does Network Fish protect against spear phishing specifically?

Yes. Our email defence service, including sender authentication checks, helps prevent domain spoofing — one of the key techniques used in spear phishing. This works alongside MFA, DNS filtering, and security awareness training, including phishing simulations, to address both the technical and human sides of the threat.