Phishing and Spear Phishing Attacks: What’s the Difference?

June 10, 2020 • Zachary Amos


If you’ve spent any amount of time reading about cybersecurity, you’ve come across a lot of different terms. Keeping track of all of them can be challenging, especially when a lot sound so similar. For instance, what differentiates phishing and spear phishing attacks?

Phishing scams like business email compromise (BEC) attacks caused more than $1.7 billion in losses in 2019 alone. Phishing is a broad category, and BEC attacks and spear phishing are subsets of this group. Here’s a closer look at how phishing and spear phishing attacks differ.


Phishing is a crime where cyber criminals attempt to gain information by tricking users instead of hacking. Typically, phishers send out emails that claim to be from authority figures to obtain users’ trust. Then, tricked users either click a malicious link or give away financial information, thinking they’re doing so for this authority.

Deactivation scares are a common example of phishing attacks. In these scams, phishers pretend to be an organization telling users that their account was deactivated. Then, they give users a place to take action, like updating their payment info, which lets phishers steal from them.

Protecting Against Phishing Attacks

The best way to protect against phishers is to pay closer attention to email addresses. Fake email accounts will look similar to the real deal, but something will be off about them. For example, a fraudulent company email could have a Gmail or Yahoo address instead of the actual company name.

Sometimes it can be difficult to tell if an email address is fake or not. That’s why you should always double-check before responding to any emails and never believe anything that seems too good to be true. You may also consider hiring an email security service to filter out potential phishing attacks.

If you realize you’ve fallen for a phishing scam, call your bank as soon as possible. Inform them of what happened so that they can cancel your credit cards or freeze your accounts. Be sure you also change all of your passwords and run a virus scan on your devices.

Spear Phishing

Spear phishing and phishing attacks are easy to confuse because the former is a type of the latter. Spear phishing is a kind of phishing that targets a specific individual instead of a random person. These scams tend to be more convincing because they’re more personal, seeming like they’re actually from someone who knows you.

Since spear phishers usually need to have some information on their targets, these attacks are more challenging, but also more effective. In 2015, Ubiquiti Networks lost $47 million in a type of spear phishing attack called CEO fraud. Phishers pretended to be the Ubiquiti CEO in emails sent to members of the finance department.

Protecting Against Spear Phishing Attacks

Spear phishing and phishing attacks require similar methods of protection since they’re so closely related. If you get an email asking you to enter account information or click a link, double-check the address. Remember that, even if it demonstrates that they know who you are, it could still be fake.

Many email services include phishing filters, but spear phishing attacks are more likely to slip through. It takes a more advanced system to recognize them, so third-party security software is a safer choice. Still, some spear phishers may get through, so never let your guard down.

Cybercrime Comes in Many Different Forms

Not all phishing and spear phishing attacks come through emails, either. Cybercrime is full of variety, so no matter where you are online, you should be careful. Knowing the different forms of cybercrime can take helps you protect yourself.

Knowledge is the first step in defense. Know what threats you may face so that you know what to look out for. You can defend against many phishing and spear phishing attacks just by knowing what they are.