Spear phishing is phishing that is targeted to a specific person, team, or organization. It often uses real names, current projects, vendors, or internal context to look legitimate.
Why it matters for account recovery
Targeted lures are more likely to bypass generic training because they match real workflows. That makes verification procedures and approval rules more important than generic "spot the typo" advice.
Common failure modes and misconceptions
- Trusting the thread: Reply-chain hijacks and lookalike domains can make a message look internal when it is not.
- Authority pressure: Attackers often impersonate executives or vendors to bypass process around access and payments.
Safe best practices
- Require out-of-band verification for payment changes and access requests.
- Train variants beyond email, including vishing and smishing.
- Treat permission prompts as part of the surface area (see OAuth consent).
Related terms
Related guides
Spear phishing is less about technical sophistication and more about context. Strong defenses are procedural: verification rules that hold even when the request looks familiar.