Spear phishing is a targeted form of phishing where attackers research specific individuals and craft highly personalized messages designed to deceive that particular target. Unlike mass phishing campaigns with generic lures, spear phishing emails reference the target’s name, role, colleagues, recent activities, or other specific details that make the message appear legitimate.
Business email compromise (BEC) is a high-value spear phishing variant where attackers impersonate executives or vendors to trick finance staff into making fraudulent wire transfers. The FBI reports BEC has caused over $50 billion in losses globally since 2013.
CISSP Relevance
Spear phishing is addressed in Domain 1 (Security and Risk Management) under social engineering threats and Domain 7 (Security Operations) for incident response. CISSP candidates must understand how targeted social engineering differs from mass attacks and what controls reduce spear phishing risk.
External reference: FBI Internet Crime Complaint Center Business Email Compromise
Related terms: Phishing, Social Engineering