Unlike mass phishing, spear phishing targets specific individuals with personalised messages using researched personal details. It is the most effective form of phishing — and the one most likely to succeed even against security-aware professionals.
Mass phishing casts the widest possible net — millions of identical or near-identical messages, sent to harvested email addresses, hoping a small percentage will respond. Spear phishing is the opposite approach: a single message, carefully crafted for a specific individual, using personal details that would not appear in a generic phishing email. While mass phishing relies on scale, spear phishing relies on precision — and precision dramatically increases the probability that the target will believe the message is legitimate and act on it without scrutiny.
The research phase of a spear phishing attack can be extensive. Attackers compile information from LinkedIn (job title, employer, colleagues' names, professional history), company websites (organisational structure, publicly listed contact details, recent announcements), social media (personal interests, recent activities, family details, location), and data breach databases (email addresses, previous passwords, partial financial information). This intelligence is used to craft a message that references specific, accurate details about the target's professional and personal context — creating the impression that the sender genuinely knows the target and has a legitimate relationship with them.
The success rate of spear phishing is significantly higher than mass phishing. Security research consistently shows that personalised phishing messages achieve click-through rates several times higher than generic equivalents. The FBI's Internet Crime Complaint Center identifies spear phishing and its business variant (Hong Kong: Prevention Guide">Business Email Compromise) as the highest-value cybercrime category by financial loss globally. In Hong Kong, the HKPF Cyber Security and Technology Crime Bureau consistently reports spear phishing and BEC among the highest-value business fraud categories, with losses concentrated in finance, professional services, and real estate sectors where large-value transactions are routine.
The construction of a spear phishing attack follows a reconnaissance-to-delivery pipeline. Open Source Intelligence (OSINT) gathering — using publicly available information about the target — provides the raw material. A sophisticated attacker targeting a finance director at a Hong Kong property company will know the director's full name, employer, role, likely reporting structure, the company's auditors and bankers, recent corporate transactions, and possibly the director's educational background, professional associations, and LinkedIn connections. All of this is publicly available and takes relatively little time to compile using standard OSINT techniques and commercial data broker services.
Email spoofing or domain impersonation gives the message a sender address that appears legitimate. An attacker targeting a Hong Kong finance director might register a domain like "pwc-hk.audit.com" or "hsbc-corporate.hk" and construct an email that appears to come from the target's auditors or bank. Alternatively, if a colleague's or supplier's email account has been compromised in a previous breach, the attacker can send from that genuine account — making detection nearly impossible for the recipient. Whaling is a subtype targeting senior executives specifically; a CEO impersonation attack targeting the CFO to authorise a wire transfer is both whaling and a form of BEC.
AI has dramatically lowered the cost and time required to execute spear phishing attacks. Large language models can generate entirely personalised, grammatically perfect phishing emails from a briefing of key facts about the target in seconds. This collapses the distinction between mass and spear phishing in terms of effort — attackers can now generate thousands of individually personalised emails with AI, rather than having to choose between scale and personalisation. The emergence of AI-generated spear phishing means that receiving a personalised email that references your employer, job role, and colleagues is no longer evidence that it comes from a source with genuine knowledge of you.
Detecting spear phishing requires moving beyond the traditional red flags of spelling errors and generic greetings — because spear phishing exhibits neither. The detection focus must shift to structural and procedural analysis: is this communication channel appropriate for this request? Would this organisation actually send this request this way? Does the request align with established processes, or is it asking to bypass them? Any message — however well-crafted and personally addressed — that asks for an exception to normal procedure, requests unusual urgency, or involves a financial action outside established approval channels deserves out-of-band verification.
Sender domain analysis remains valuable even against spear phishing. Carefully examine the sender's domain character by character — typosquatting domains used in targeted attacks are designed to look like the expected sender's domain at a glance, but differ by one character, use a different top-level domain, or add a word. On mobile devices, email clients often show only the display name and not the underlying address by default — always tap to expand the sender details and verify the actual address domain before acting on any significant request. Be aware that Unicode homoglyph attacks use characters from non-Latin scripts that appear visually identical to standard ASCII characters.
The most reliable defence against spear phishing is a call-back verification protocol for any unexpected financial or credential request, regardless of how convincing the message appears. If an email that appears to come from a colleague, supplier, or banking contact requests an unusual action — a wire transfer, a password reset, a document upload — call that person on a previously known phone number (not a number provided in the email) to confirm they sent the request. This one step breaks the majority of spear phishing attacks because the attacker cannot answer the phone as the impersonated person. Establish this protocol as a normal business procedure rather than an exceptional response — it should apply to all unusual requests regardless of how trusted the apparent sender appears.
Technical email authentication — DMARC, DKIM, and SPF — significantly reduces an organisation's vulnerability to email domain spoofing used in spear phishing. SPF specifies which mail servers are authorised to send email from a domain. DKIM adds a cryptographic signature to outgoing emails that receiving servers can verify. DMARC ties these together, instructing receiving mail servers to reject or quarantine emails that fail SPF or DKIM checks purporting to come from the organisation's domain. Implementing DMARC with a reject policy prevents external parties from spoofing your domain in attacks against your partners and customers — and checking that your email providers enforce these standards protects your own inbound mail.
Security awareness training that includes simulated spear phishing exercises is significantly more effective than general phishing awareness training for high-risk roles. Simulated attacks that incorporate real OSINT data about the target — their role, colleagues' names, business context — train employees to recognise the specific type of personalised attack they are most likely to face. Many Hong Kong organisations now engage cybersecurity consultancies to run targeted phishing simulations as part of their security culture programme; the HKCERT also provides resources for organisations looking to improve their phishing resistance. Roles with privileged access to financial systems, email administration, or sensitive data should receive the most intensive training and the most stringent verification procedures.
Privileged access management reduces the impact when a spear phishing attack does succeed. If an executive is compromised, the damage is limited by whether their credentials provide access to payment systems and whether payment authorisation requires multiple approvals. Implementing dual-authorisation for wire transfers above a threshold, requiring out-of-band confirmation for payment instruction changes, and applying the principle of least privilege to system access all limit the blast radius of a successful spear phishing credential compromise. These controls are particularly relevant in Hong Kong where BEC fraud targeting payment instruction changes is among the most commonly reported business fraud types.
