Back to The Rejected Folder
| 10 min read

Phishing vs spear phishing: what changes when attacks get targeted

Phishing is broad impersonation. Spear phishing is targeted impersonation built around a specific person, role, vendor, or business process. Learn the difference, how executive phishing fits in, and where DMARC helps.

ML
Marc Lelu
Phishing vs spear phishing: what changes when attacks get targeted

Phishing vs spear phishing comes down to targeting.

Phishing is usually broad. The attacker impersonates a trusted company, service, bank, delivery provider, or internal tool and sends the same message to many people. The goal is to make a small percentage of recipients click, sign in, pay, or download something.

Spear phishing is targeted. The attacker researches a specific person, team, company, vendor relationship, executive, or business process and builds the message around details that make it feel normal. That targeting makes spear phishing harder to spot and more likely to bypass simple awareness rules.

Both attacks can use spoofed email addresses, lookalike domains, fake websites, malicious attachments, text messages, social media messages, or voice calls. What changes is how much the attacker knows about the target and how specifically the message is crafted.

Quick comparison

Attack type Typical target Personalization Common goal
Phishing Many recipients Low Steal passwords, card data, or account access
Spear phishing A person, team, or organization High Steal credentials, trigger a payment, install malware, or access internal data
Executive phishing Executives or people who work with them Very high Wire fraud, sensitive data theft, legal or finance impersonation

The European Union Agency for Cybersecurity describes phishing as social engineering that tries to persuade victims to disclose sensitive information. It describes spear phishing as a more personalized version that targets specific organizations or individuals.

The FBI’s spoofing and phishing guidance also connects spoofing, phishing, and business email compromise. That matters because many real losses do not come from malware. They come from trusted-looking messages that convince someone to send money, reveal credentials, or change a payment process.

What is phishing?

Phishing is an impersonation attack that tries to get someone to take an unsafe action.

Common examples:

  • A fake Microsoft 365 sign-in page asks for your password.
  • A delivery notice says a package is blocked until you pay a small fee.
  • A bank warning claims your account will be closed unless you verify details.
  • A payroll message asks employees to confirm login credentials.
  • A fake invoice attachment installs malware.

The message usually relies on urgency, fear, curiosity, or routine. It may say your account is locked, your payment failed, your document is ready, or your boss needs something now.

Most broad phishing messages are not deeply personalized. They may include your email address or first name, but they usually do not reference your current project, vendor, internal team, invoice history, or reporting line. The attack works at scale because sending a generic lure to thousands of people is cheap.

What is spear phishing?

Spear phishing is targeted phishing.

Instead of sending the same message to everyone, the attacker studies the target. That research may come from LinkedIn, company websites, public filings, press releases, social media, leaked credentials, breached vendor systems, email headers, or earlier conversations in a compromised inbox.

Common examples:

  • A finance employee gets a message that appears to come from the CEO and references a real acquisition.
  • An HR manager receives a fake resume that matches an open role and contains a malicious attachment.
  • A sales leader gets a fake DocuSign request tied to a real customer name.
  • A contractor receives payment-change instructions from a lookalike vendor domain.
  • An employee gets a login prompt after a message that references a real internal tool.

Microsoft’s spear phishing overview emphasizes that spear phishing uses personal or organizational details to make a message more convincing. That is the main operational difference: the attacker is not just impersonating a brand. They are impersonating a relationship or workflow.

What changes when phishing becomes targeted?

The message gets harder to dismiss

Generic phishing often contains broad warning signs: vague greetings, odd phrasing, mismatched branding, or requests that do not fit your work.

Spear phishing can be cleaner. The attacker may know your title, manager, clients, suppliers, region, conference schedule, or tools. A request that would look suspicious to a random recipient may look normal to the person who handles that process every week.

The sender may look more plausible

Spear phishing often uses a sender identity that matches the target’s world:

  • A lookalike executive domain.
  • A vendor domain with one changed character.
  • A free mailbox using a familiar display name.
  • A compromised inbox from a real partner.
  • A spoofed message that appears to come from your own domain.

This is where email authentication matters, but only for a specific slice of the problem. DMARC can help receivers reject mail that directly spoofs your protected domain. It cannot prove that every lookalike domain, compromised account, or fake website is safe.

The request maps to business authority

Broad phishing often asks for passwords or card details. Spear phishing often asks for something the target can actually do:

  • Approve a wire.
  • Share a customer list.
  • Reset a password.
  • Open a vendor file.
  • Update bank details.
  • Send W-2, payroll, or tax documents.
  • Grant access to a SaaS app.

That is why spear phishing overlaps with business email compromise. The attacker is not always trying to break software. Sometimes they are trying to make a normal employee complete a normal-looking business task for the wrong person.

What is executive phishing?

Executive phishing is targeted phishing that impersonates, pressures, or targets senior leaders. It is often called whaling when the executive is the target, and CEO fraud when the executive is impersonated to pressure someone else.

Examples:

  • A fake CEO asks finance to send an urgent wire before a deal closes.
  • A fake general counsel asks an assistant to send board documents.
  • A fake CFO asks payroll to update direct-deposit details.
  • A real executive’s compromised mailbox sends convincing requests to vendors or staff.

The phrase “what is executive phishing” can refer to two related scenarios:

  • The executive is the victim because their account, credentials, or data are valuable.
  • The executive’s identity is the lure because employees are trained to respond quickly to leadership.

The defense is the same in both cases: do not rely on display names, pressure, or email threads alone. High-risk requests need an out-of-band check, such as a known phone number, approved payment workflow, or internal ticketing process.

Where BEC fits in

Business email compromise, or BEC, is a fraud pattern where attackers use email impersonation or account compromise to trick a business into sending money or sensitive information.

The FBI treats spoofing and phishing as key parts of BEC because the attacker often needs one of three things:

  • A believable sender identity.
  • A believable business pretext.
  • A recipient with authority to act.

Spear phishing is one way to get there. A targeted email may steal credentials first, then the attacker uses the compromised account to send payment instructions. Or the first email may go straight for the payment request using a spoofed or lookalike sender.

Does DMARC stop spear phishing?

DMARC helps with one important type of email impersonation: direct domain spoofing.

If attackers send email that claims to be from yourcompany.com, and your domain has SPF, DKIM, and DMARC configured correctly with enforcement, receiving mail systems can reject messages that fail authentication and alignment. That protects your exact domain from being used as the visible sender in many spoofing attempts.

DMARC does not stop every spear phishing attack.

DMARC does not stop:

  • Lookalike domains such as yourcornpany.com.
  • Free-mail impersonation using a familiar display name.
  • Compromised inboxes at customers, vendors, or your own company.
  • Fake login pages hosted on unrelated domains.
  • Malicious links or attachments sent from otherwise authenticated systems.
  • Text messages, phone calls, social media messages, or collaboration-tool messages.

That distinction is important. DMARC is not “phishing protection” in the broad sense. It is domain authentication and anti-spoofing control. It should sit beside MFA, security awareness, payment verification, endpoint protection, secure email gateways, vendor controls, and incident response.

If you are not sure whether your domain can be spoofed directly, check it with the DMARCTrust domain checker. For the underlying mechanics, start with SPF, DKIM, and DMARC alignment explained and email authentication monitoring.

How to prevent broad phishing

Broad phishing defenses focus on reducing easy wins:

  • Use phishing-resistant MFA where possible.
  • Use a password manager so fake domains do not autofill credentials.
  • Keep browsers, mail clients, and devices patched.
  • Train users to check sender domains, not just display names.
  • Block known malicious links and attachments.
  • Report suspicious messages to security or the mail provider.
  • Do not reuse passwords across work and personal accounts.

For companies, broad phishing also requires good defaults: MFA enrollment, least-privilege access, conditional access, attachment scanning, browser isolation for risky links, and fast account recovery.

How to prevent spear phishing

Spear phishing needs workflow defenses, not just awareness.

Use these controls for high-risk actions:

  • Require out-of-band verification for payment changes, wire transfers, payroll updates, and vendor banking changes.
  • Make approval workflows explicit and hard to bypass by email alone.
  • Protect executives, finance, HR, legal, IT admins, and assistants with stronger MFA and tighter mailbox rules.
  • Monitor for new forwarding rules, OAuth grants, suspicious sign-ins, and impossible travel.
  • Register obvious lookalike domains when practical, and monitor for brand impersonation.
  • Publish DMARC at enforcement for domains that send mail and parked domains that do not.
  • Teach employees that urgency plus secrecy is a verification trigger, not a reason to skip process.

The goal is to make the attack fail even when the message is well written.

What to do if you receive a suspected spear phishing message

Do not reply in the same thread. Do not click the link to “check.” Do not call a phone number inside the message.

Instead:

  1. Preserve the message.
  2. Report it through your company’s phishing-reporting process.
  3. Verify the request through a known channel.
  4. If credentials were entered, change the password and revoke sessions immediately.
  5. If money was sent, contact the bank and report the incident quickly.
  6. If your domain was spoofed, review SPF, DKIM, DMARC policy, and aggregate reports.

Speed matters, especially for payments and account compromise. But speed should go into containment, not into complying with the request.

FAQ

What is the main difference between phishing and spear phishing?

Phishing is usually broad and generic. Spear phishing is targeted and personalized for a specific person, team, company, vendor, or workflow.

Is spear phishing always email?

No. Spear phishing often happens by email, but the same targeted deception can happen through text messages, phone calls, social media messages, or collaboration tools.

What is executive phishing?

Executive phishing is targeted phishing involving senior leaders. The attacker may target an executive directly or impersonate an executive to pressure employees into sending money, credentials, documents, or access.

Is whaling the same as executive phishing?

Whaling is a common name for spear phishing that targets high-profile people such as CEOs, CFOs, board members, and other senior leaders. Executive phishing is a broader plain-English term that also includes scams that impersonate executives.

Does DMARC stop phishing?

DMARC stops a specific form of phishing: messages that directly spoof a protected domain and fail authentication. It does not stop lookalike domains, compromised accounts, fake websites, malicious links, or non-email social engineering.

Read Next

View all posts
From p=none to p=reject: how to enable DMARC enforcement in 2026
dmarc-setup ·

From p=none to p=reject: how to enable DMARC enforcement in 2026

Forums show the same anxiety pattern: 'I want p=reject, but I'm afraid I'll block legit mail.' The rollout is mostly about gates: inventory done, alignment fixed, SPF lookup limit avoided, and then staged enforcement.

DT
DMARCTrust
3 min read
Who is sending mail as us? The Shadow IT sender inventory problem
dmarc-monitoring ·

Who is sending mail as us? The Shadow IT sender inventory problem

The biggest practical blocker to moving beyond p=none isn't DNS syntax. It's discovering every legitimate sender. DMARC reports expose these "unknown senders" and Shadow IT that you didn't even know existed.

DT
DMARCTrust
4 min read

Need expert help with email deliverability?

Hire an email deliverability consultant who has shipped billions of emails. Free assessment, hands-on engagement, written quote before any work starts.

Talk to a consultant