Phishing is still the most common type of cybercrime. According to our 2025 Huntress Cyber Threat Report, phishing is one of the top ways attackers scout out and hack systems. In fact, the APWG Phishing Activity Trends Report tracked over one million cases in the first quarter of 2025 alone. It’s been at the top for years because it’s a low-effort, high-volume tactic that threat actors quickly spin up to get access to sensitive information or infrastructure. 

The “Nigerian Prince” phishing email is a thing of the past. Now, attackers use sophisticated social engineering to impersonate real-world senders with surprising success. We’ll dive into the differences between the old and new types of phishing below.

What’s phishing in cybersecurity?

Spear phishing is a highly targeted phishing attempt. Rather than a generic large-scale scam, spear phishing attacks focus on a small group of victims, like a design team at a software company or the supervisors at a supply chain warehouse. After researching their targets, attackers send a convincing email, complete with the proper names, signatures, and jargon that recipients are used to. Attackers are increasingly relying on generative AI to craft more realistic and convincing spear phishing emails. 

What makes spear phishing so sneaky is that attackers don’t even need to manually investigate their targets. Instead, they can use data scraping and Natural Language Processing (NLP) to automate the entire process, allowing them to set up and execute highly sophisticated attacks with minimal effort.

Cybercriminals are shifting to spear phishing attacks because they’re more effective and hook bigger targets with less effort. It’s not as simple as “large-scale, low-context” anymore. Instead, attackers can achieve high levels of context, even at a massive scale, through business email compromise (BEC), careful timing, and AI automation.

Let’s take a look at how spear phishing attacks differ from standard phishing attacks. 

Why “spray and pray” no longer works

Most security teams have gotten wise to the telltale signs of generic, widespread phishing attacks. Even most end users know what to look out for, like broken language, suspicious URLs, and requests for passwords or other credentials. With this new baseline understanding, attackers upped their game to spear phishing.

Modern teams are more vulnerable than ever to phishing scams because remote workers and cross-functional teams rely heavily on software to collaborate. Emails and Microsoft Teams messages have replaced in-person meetings and quick cubicle visits. A convincing enough email can slip in unnoticed among the dozens of memos, requests, and approvals the average worker handles every day.

The rise of micro-targeting and identity abuse

Attackers craft convincing email messages focused on specific targets with the aim of tricking them into clicking a link or sharing credentials. By scraping data from LinkedIn and other social media sites, they find personal information and develop language models based on this data. 

Messages may look like a manager emailing their direct reports or a user sending an IT request. Often, attacks target more junior employees because they have less cybersecurity training and would feel pressure to respond to a superior. The entire process can be automated, but for high-value targets (whaling attacks), an attacker might be hands-on-keyboard behind the scenes. 

Sketchy behavioral signals are just as important

Spear phishing attacks exploit trust. They don’t have obvious tells like suspicious URLs or broken grammar. Instead, they appear to be from legitimate, trusted colleagues. To spot them, end users should be on the lookout for strange behavior, like making unusual requests or sending messages at odd hours.

Spear phishing can take on many forms, and the types of phishing attacks you might uncover will depend on the attack vector and intended target. Here’s one example.

Business email compromise through a trusted inbox

Once an attacker compromises someone’s inbox, they can wreak a lot of havoc, especially when that person occupies a senior role in a company. Here’s how that might play out:

• A threat actor places a QR code at a business leader convention, disguised as a menu for one of the venue’s many cafés. 

• The CEO of a promising new start-up scans the QR code and sees a convincing menu. As they browse fake drink options, the software automatically scrapes their email account and credentials.

• The data is sent to an AI agent, which looks for the victim’s job title, contacts, and potential value.

• Identifying the CEO as a high-value target, it then searches for them on LinkedIn and Facebook and scrapes all available data.

• Using publicly available posts and past emails, the AI forms a model that’s able to impersonate the CEO. It mimics their writing style as well as the timing and types of emails they send.

• While the CEO is busy at the convention, AI sends a convincing email to the finance department. It attaches a properly formatted invoice requesting funds for a fictional expense.

• Seeing all the usual signs of a legitimate request, the finance department approves the expense and transfers money to the attacker’s bank account.

Advanced AI can even talk to the finance department, pushing for a quick approval. All the while, it’s moving evidence to the malicious inbox the attacker created. The same scenario can play out with anyone who scans the QR code, and the attacker can sit back and watch it all unfold with very little interaction.

Proactivity is the key to detecting spear phishing attacks before they damage the business. Here are a few strategies to reduce risk:

• Security awareness training: Teach users what to look out for with expert-backed security awareness training, simulated scenarios, and personalized coaching. 

• Managed Endpoint Detection Response (EDR): Spot threats faster with an always-on endpoint detection system backed by a 24/7 human-led, AI-assisted Security Operations Center (SOC). 

• Identity Threat Detection and Response (IDTR): Phishing revolves around stealing and misusing real credentials. IDTR tools and processes spot unusual logins, credential misuse, and repeated attempts to stop hackers in their tracks.

• Make Multi-Factor Authentication (MFA) mandatory: MFA is an extra barrier that slows down attackers when they try to access your email account with stolen credentials.

• Enforce verification workflows: Make sure departments have (and follow) standard operating procedures for verifying key actions, like approving expenses and granting user access.

Spear phishing is a sneaky attack, and AI is making it harder than ever to detect. A proactive approach will put teams ahead, so you can stop chasing alerts and start shutting down attacks before they happen.