Phishing vs Spear Phishing: What’s the Difference?

August 20, 2021


Know Your Risks: Phishing vs Spear Phishing

Phishing risk has skyrocketed, clocking in at almost 300% higher than it was in the same period in 2020 in both May and June 2021. The dangerous spokes that radiate from the hub of phishing, like ransomware or business email compromise, make phishing an extremely powerful weapon. That’s why phishing and spear phishing are the perennial favorites of cybercriminals from nation-state threat actors to small-time freelance cybercriminals.  Cybercriminals are using several different kinds of phishing attacks to get the job done in the name of scoring big paydays, so it’s important to know the difference when considering phishing vs spear phishing attacks. 


How safe is your email domain? Find out now with our domain checker. CHECK YOUR DOMAIN>>


 What is the Difference Between Phishing and Spear Phishing? 

Phishing risk is steadily rising, but the terminology used in articles about it can become confusing because many types of attacks share similar characteristics. Such is the case with phishing and spear phishing  When studying what makes each attack unique, it’s easy to see the fundamental differences in phishing vs spear phishing.  

  • In a phishing attack, cybercriminals are using appealing or frightening lures to snag users. Sometimes, cybercriminals make it easy on themselves by spoofing communications from US government agencies. Recently, bad actors have increasingly focused their sights on lynchpins of industry like city governments, MSPs and other critical targets, Cybercriminals have also been busy unleashing large-scale phishing attacks by masquerading as a famous, trustworthy brand like Microsoft.  
  • In a spear phishing attack, the same cybercriminals will scour dark web markets and data dumps to find and the perfect piece of information to entice users to click.  Practitioners of these attacks use social engineering combined with detailed information about the target to create an irresistible lure. Many of today’s biggest threats and worst cybersecurity disasters started with a successful spear phishing email.   

See how to avoid cybercriminal sharks, phishing & ransomware in Phishing 101. DOWNLOAD IT>>


Which is More Common: Phishing or Spear Phishing?

Phishing is the most common type of cyberattack. An estimated 80% of all cyberattacks are phishing attacks of some type. The term is also used as a catch-all phrase for attacks via email, SMS, social and other channels that try to convince users that the sender is trustworthy. Spear phishing is technically a type of phishing attack. The major difference is that phishing attacks paint in broad strokes, while spear phishing attacks have a very narrow focus. It may surprise you, but many of the incoming spear phishing attacks that businesses face are targeted at the employee group that you’d expect to be the most phishing savvy: IT staffers, who receive an estimated 40 spear phishing messages per year. 

Characteristics of a Phishing Email

  • Phishing emails will have a generally appealing message, like informing an employee that they’ve been chosen to take a survey to receive a reward.
  • Unexpected requests for paymentwith wire transfers, money cards or cryptocurrency are huge red flags for phishing.
  • A phishing message will often be relevant to the specifics of a large-scale event that’s occurring, like a rash of messages last year that invited the targets to download COVID-19 maps full of ransomware.
  • Spoofing is a technique frequently used in phishing to convince targets that the message came from a legitimate sender. 45% of spoofed emails last year purported to be from Microsoft. 

Characteristics of a Spear Phishing Email

  • Spear phishing messages will use detailed, personalized information to fool the target into clicking on it, like a fundraiser from the target’s alma mater.
  • A spear phishing message will be relevant to both the specifics of a large-scale situation and the person who received it, like an email from a charity in that the target is familiar with asking for donations after a storm.
  • Sophisticated spear phishing messages will be relevant to both the specifics of a large-scale situation and the person who received it, like asking a senior accounting staffer to change their password in order to make a payment on an invoice from a vendor. 
  • Business email compromise (BEC) attacks are frequently the result of spear phishing, and not always directed at executives or accounting staff – 77% of BEC attacks targeted staffers outside those roles. 

Learn more about adding to your security team without adding to your headcount. FREE EBOOK>>


Why is Phishing and Spear Phishing Risk Growing?

The short answer is that phishing has become very inexpensive and easy. At the same time,  cybercriminals have many more opportunities to mount phishing attacks against businesses than they’ve had in the past. Add in a little pandemic stress and cybercriminals are looking at their dream conditions for phishing. That combination of factors is why phishing risk in general skyrocketed by more than 600% in the spring of 2020 and has stayed at record levels ever since. 

One specific thing that makes phishing more attractive to bad actors is the new horizon opened by remote work. Thanks to pandemic lockdowns and societal shifts, email volume has grown from a steady stream into a deluge. More than 80% of remote workers use phishing as their primary method of communication at work. Cybercriminals are capitalizing on that dependence by unleashing an avalanche of phishing. Google has registered 2,145,013 phishing sites as of Jan 17, 2021. This is up from 1,690,000 on Jan 19, 2020 (up 27% over 12 months).   

Business phishing risk is not slowing its climb onward and upward in 2021.  After a banner year for phishing risk in 2020, it was hard to believe that there was any more real estate for phishing to occupy. Unfortunately, we don’t seem to be anywhere near the upper limit for phishing and it just keeps growing Phishing risk has steadily grown in 2021, standing almost 300% higher than it was in the same period in 2020 in both May and June 2021. That trend is expected to continue – and that’s bad news for every business. 

What Are Some Best Practices to Avoid Phishing or Spear Phishing Attacks? 

  • Always perform basic safety checks on every incoming message no matter how familiar you might be with the sender 
  • When reading a branded email, make sure that the sender’s domain aligns with the company that it is purportedly sent from because cybercriminals will go to great lengths to spoof a message and send it from an “almost right” domain.  
  • Don’t download an attachment that you are not expecting no matter how harmless it looks – an estimated 48% of malicious email attachments that were sent out in 2020 were Office files. 
  • Never give anyone your password or login information via email. 
  • Look for small tells in a message like the wrong font or color palette. 
  • No US federal government department will ever contact you and ask you for personally identifying information (PII), financial information or your login and password for a federal webiste via email or text. 
  • Be wary of any message that contains spelling, grammar or usage errors, especially if it claims to have been sent from a major brand. 
  • When in doubt, quarantine a suspicious message and call for expert backup from your IT staff. 

What’s next in phishing? Find out in the 2021 State of Email Security Report! GET IT NOW>>


How Can My Organization Defend Against Phishing and Spear Phishing?

Graphus is the solution that your organization needs for powerful protection from phishing vs spear phishing. Don’t expend time and energy trying to stay up to date on phishing threats. Put a defensive powerhouse on the job 24/7/365 that doesn’t need human guidance like patches or threat intelligence reports to tailor its protection. The AI gathers its own data based on your company’s email traffic patterns, providing exactly the security that your business needs exactly when your business needs it.

With Graphus, you can cover every base to defend against phishing-related cybercrime while boosting cyber resilience at an affordable price quickly and painlessly.   

  • TrustGraph is the star of the show, guarding your company’s inboxes against social engineering attacks. Using more than 50 separate data points, TrustGraph analyzes incoming messages to detect trouble before speeding them to their recipients – and it never stops learning, constantly gathering fresh threat intelligence from every analysis it completes.  
  • EmployeeShield slips into place when a new line of communication comes into your business, adding a bright, noticeable box that warns employees to use caution when handling the message. This empowers every staffer to join your security team by marking a new message safe or quarantining it with one click for administrator inspection. 
  • Phish911 completes your triple-layered protection by making it easy and painless for employees to report any suspicious message that they receive to an administrator for help. When an employee reports a suspicious message. it is immediately removed from everyone’s inbox to prevent further trouble. 

Oh, and did we mention that automated security is also 40% more effective in spotting and stopping phishing threats to your organization than conventional security or a SEG? Plus, sophisticated socially engineered spear phishing threats, whaling attacks and even zero-day exploits don’t stand a chance against the smart protection that your business will get from Graphus. Contact one of our solutions experts today for a personalized demo.  



Stay safe from even the most sophisticated cyberattacks and social engineering scams

Put the powerful TrustGraph® AI of Graphus to work for your business, and in minutes you’ll get a powerful, easy-to-use, and customizable EmployeeShield® against phishing attacks.
Get a Demo of Graphus