What is spear phishing?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

Spear phishing is a targeted phishing attack where the attacker customizes the message for a specific person, often using personal details, job role, or business context to make it look legit. Instead of blasting the same "You've won a prize!" email to 10,000 people, spear phishers research their target and craft an email that looks like it came from someone that person actually knows.

Examples: an email that looks like it's from your CFO asking you to wire money for an urgent vendor payment, or a message that appears to be from IT support asking you to verify your password. The attacker knows your CFO's name, your company's vendor relationships, and what a real IT ticket looks like. That's what makes it dangerous.

A more extreme version is whaling (also called Business Email Compromise), which targets C-level executives and has cost companies billions in fraudulent wire transfers. The attacker might spend weeks researching the target's travel schedule, email patterns, and business deals to time the attack perfectly.

Why email senders should care: spear phishing attacks often spoof your domain to make the attack look like it came from you. If attackers successfully impersonate your brand and trick someone into wiring $50,000, your domain's reputation takes a hit. Victims associate the attack with your domain even though you never sent it.

And That's where SPF, DKIM, and DMARC come in. Proper authentication makes it harder for attackers to spoof your domain because receiving mail servers can verify whether an email claiming to be from you actually came from your authorized servers. Setting your DMARC policy to p=reject tells mailboxes to block emails that fail authentication, which stops most spoofing attempts cold.

Want to check if your domain is protected against spoofing? Try our free DMARC generator to set up a policy, or ask us if you're not sure where to start.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Check My Domain's Spoofing Risk

I read this on the Email Almanac about spear phishing: "Spear phishing is a targeted attack where attackers customize emails for specific people using personal details or business context. They often spoof your domain to make the attack look like it came from you, which can hurt your sender reputation even though you never sent it." Help me understand how this applies to MY domain and sending setup. I need: 1. How to check if my domain is being spoofed for phishing attacks 2. What authentication records (SPF, DKIM, DMARC) I should have in place 3. Whether my current DMARC policy is strong enough to block spoofing attempts 4. How to monitor for unauthorized sending from my domain 5. What to do if someone reports a spear phishing attack that spoofed my domain --- My details (the more you share, the better the advice): - Domain(s): your sending domain(s) - Email platform/ESP: e.g. Mailchimp, SendGrid, Postmark, HubSpot, custom SMTP - Current authentication setup: if you know: SPF record status, DKIM enabled, DMARC policy - Sending volume: e.g. 5,000/month or 500/day - Recent issues: [any reports of spoofing, phishing complaints, or domain impersonation] - Experience level: beginner / intermediate / advanced

Edit the yellow boxes, then send to the AI of your choice.