3 min read  | Cyber attack

Spear phishing vs phishing: Understanding the difference for effective cybersecurity policies

Recently, I was having a coffee with a long-time friend from university. Even though our university days are long past us, we’ve remained close friends and have made it a point to catch up from time to time. Over her matcha latte, she told me about an “interesting” email she recently received.

“You just won’t believe it. It was a formal-looking mail, seemingly from my bank, requesting my login details for some verification purposes. The scary thing is that I had typed my details up and was about to hit send when I realised that the request was odd. I’d never gotten anything like that before.” 

That’s all I needed to know to realise that she had been the target of a (fortunately unsuccessful) phishing attempt. I explained to her what it was and while she told me she already knew that, she spoke about how thrown off she was by how convincing the email was.

“Nick, I just lose it when I think about how close I was to falling for that! I never believed these hackers had that much capability.”

This is usually the same thing I hear from people, especially after they’ve fallen for this very common type of cyber attack. One thing that irks me (it’s the cybersecurity specialist in me!) is when people don’t understand the distinction between spear phishing vs phishing. It’s an important distinction, making the difference between a successful attack and an unsuccessful one.


While both phishing and spear phishing involves an element of deceiving someone into doing something they’re not supposed to, phishing casts a wider net in terms of potential victims and its fallouts are relatively less disastrous.

If you’re the target of a phishing scheme, you may receive an email from a reputable organisation or business, prompting you to click a link that takes you to a spoof landing page. The goal usually is to extract sensitive information - like your login details to bank accounts - by informing you that you need to update your password or that your account is locked.

Spear phishing, on the other hand, is highly specific and targeted: These emails are addressed to you and appear to be from someone you may know directly. This may include a colleague, your boss or someone who you think has the authority to ask you to do certain things. One of the most common ruses spear phishers use is asking someone belonging to a particular organisation to wire them money by imitating their boss.


While there are ways organisations can filter phishing emails, specifically through detecting phishing URLs and detecting false email signatures, these may not be so effective when it comes to spear phishing.

This is particularly why businesses need to train employees to detect these types of emails and remain on-alert for a stray, seemingly innocuous spear-phishing email. The need for this type of cybersecurity training is only emphasised by the fact that 88% of organisations reported experiencing spear phishing attacks in 2019.

Understanding the difference between spear phishing vs phishing, therefore, can make a major difference in how prepared your teams are to tackle this type of cyber attack. Sure, they may be able to detect a random email requesting them to complete a suspicious request, but would they blink if they believed the email was from a higher-up in your company?


Spear phishing vs phishing is a subject that requires careful understanding and training in order to stem the almost relentless flow of cyber attacks businesses are experiencing, nowadays.

At Triskele Labs, my team of security experts conduct awareness training and even leverage our in-house solution, PhishAway, for simulated phishing trials, which we provide as a managed service. Our goal? Help you nail the distinction between spear phishing vs phishing and enjoy improved cybersecurity.