Spear phishing is targeted phishing aimed at a specific person, drafted with information about their role, contacts, current projects, and personal context. Standard delivery vector for nation-state campaigns and commercial-spyware operations against journalists, lawyers, and dissidents. The recipient’s personal context, not generic email hygiene, is what keeps it out.
What it means in practice
A spear-phishing message looks like a legitimate work email because it is built on real information about the target. The reconnaissance happens before the email is sent: LinkedIn profile, Twitter activity, prior breach data exposing past coworkers and email patterns, Google Scholar or speaker bureau showing current projects, conference attendance lists. The message arrives from a plausible-looking sender (a spoofed colleague, a known contact whose account was compromised, a fictitious journalist asking for an interview), references a specific topic the target is currently working on, and asks for an action that seems normal in context (review this attachment, log into this collaboration tool, click this link to a shared document). The attack succeeds because the message is consistent with the target’s actual life, not because the target lacks vigilance.
Who is targeted, and by whom
Targeted: investigative journalists working on sensitive stories (nation-state and commercial-spyware actors use spear phishing to deliver Pegasus-class implants when zero-clicks are unavailable or too expensive), executives at companies the attacker wants to social-engineer for wire fraud or data exfiltration, lawyers handling controversial matters where opposing parties seek to intercept strategy, government employees with access to classified or sensitive information. The actor tier ranges from sophisticated cybercrime crews running BEC campaigns at scale, to commercial spyware operators delivering implants on customer government tasking, to nation-state groups (Charming Kitten, APT28, APT41) with multi-month reconnaissance and customization budgets per target.
What you can change today
Three structural defenses. First, treat any “urgent” or “important” email asking for credential entry, file open, or immediate action as suspect by default; verify the sender through a separate channel (call the colleague directly, check the contact through your existing relationship, never via the contact info in the suspect email). Second, hardware-key 2FA on the keystone accounts (primary email, password manager, code repositories, cloud infrastructure) which structurally defeats the credential-relay phase even if the social engineering succeeds. Third, audit your public-information footprint quarterly: what does your LinkedIn, Twitter, About page, and conference history tell an attacker about what you are currently working on. The reconnaissance-side reduction lowers the attacker’s lift; the structural-side defense raises the cost of compromise.
