Spear Phishing Defense Playbook - Protect Your Business Effectively.

Cover image for spear phishing defense playbook

: by MaK Ulac; Category: Blog; Apr. 29, 2026

(Reading time: 10 - 19 minutes)

Spear phishing works because it doesn’t look suspicious. The message is tailored, the timing fits, and it often comes from someone the target recognizes. Stopping it takes more than one control.

You need coverage across the gaps attackers use. That starts with DMARC set to reject, a modern email security gateway, and phishing-resistant MFA for executives and finance. From there, layer in endpoint detection, DNS filtering, consistent phishing simulations, and a strict out-of-band verification policy for any wire or vendor banking change.

No single control stops a targeted attack. But together, these layers remove the conditions that make them succeed, which is why phishing still drives the majority of breaches and billions in BEC losses.

This guide is for owners, CFOs, IT leaders, and operations teams at small to mid-sized businesses. We’ll define the attack briefly, then focus on what actually stops it without enterprise-level overhead.

Spear Phishing in 90 Seconds

Spear phishing is phishing with a target's name on it. The U.S. National Institute of Standards and Technology (NIST) defines it as "phishing attempts directed at specific individuals or companies." Three things separate it from commodity phishing — and they are exactly the three things a defense program must address: Hacker sending phishing emails to targets

Targeting. The attacker picked one employee by name, role, and responsibility.
Reconnaissance. They spent hours, sometimes weeks, on LinkedIn, the company website, press releases, breach dumps, and AI-enriched data sets.
Personalization. The email references real projects, real vendors, and real colleagues. Spam filters frequently miss it.

In a commodity phishing attack, a criminal sends 100,000 generic "Your package is delayed" emails, hoping 0.1% click. In spear phishing, the same criminal sends one email to a controller, claims to be the CEO finalizing an acquisition, and requests a $187,450 wire transfer — a figure drawn from textbook CEO-fraud cases. One email. One target. One payoff.

How spear phishing relates to phishing, whaling, and BEC

Dimension	Phishing	Spear phishing	Whaling	Business Email Compromise (BEC)
Target	Mass audience	Specific individual or role	C-level executive or board	A company's payment workflow
Personalization	Low	High	Very high	Very high
Volume per campaign	Thousands–millions	A handful	1–few	1–few
Typical goal	Credentials or small fraud	Credentials, network access, wire fraud	Large wire transfer, trade secrets	A specific fraudulent transaction
Hardest control	URL reputation	Email authentication + human training	Executive-specific training + verify-out-of-band	Verify out-of-band on every payment detail change

Whaling is spear phishing aimed higher; BEC is the financial-fraud outcome that spear phishing usually enables. Palo Alto Networks Unit 42's 2025 Incident Response report found that BEC is responsible for 76% of phishing-entry incidents, and a Verizon analysis showed 89% of organizations hit by BEC had not enforced multi-factor authentication.

Channel variants — vishing (voice, often paired with AI voice cloning), smishing (SMS) and quishing (QR codes) — apply the same targeting + research + personalization pattern across different mediums.

The 6-Stage Attack Lifecycle (and Where Controls Slot In)

Every successful spear phishing attack follows the same six stages. Mapping defenses to stages is how a budget line turns into measurable risk reduction.

Stage	What the attacker does	Where the control slots in
1. Target selection	Picks a high-value role: CFO, AP clerk, IT admin, HR director.	Reduce public attack surface; remove individual emails from the website; trim public org charts.
2. Reconnaissance (OSINT)	Scrapes LinkedIn, company site, news, social posts, breach corpora and AI-enriched data sets. Builds a per-target dossier.	Train staff on social-media oversharing; monitor exposed-credential feeds; enforce LinkedIn privacy.
3. Pretext crafting	Writes a believable lure — fake CEO wire request, M365 password-reset, DocuSign contract, thread-hijacked invoice, QR-code form. AI now drafts flawless copy.	Email authentication (SPF, DKIM, DMARC); AI-driven impersonation detection in the email gateway; URL sandboxing.
4. Delivery	Sends via lookalike domain, compromised trusted mailbox, SMS, voice, or LinkedIn DM. Often timed to a payment cycle or executive travel.	Email security controls, DNS filtering, and mobile device management for SMS/phone variants.
5. Exploitation	Victim clicks, enters credentials on a cloned page, approves an MFA push, wires money, or opens a Remcos / Defray payload.	Phishing-resistant MFA (FIDO2, passkeys); EDR/XDR; DLP; strict approval workflows for financial changes.
6. Persistence and lateral movement	Creates inbox rules, forwards mail externally, escalates privileges, and pivots laterally.	Conditional access; identity threat detection; session revocation; immutable audit logs.

Palo Alto Networks and Fortinet publish the same six-stage model — treat it as the industry consensus.

Who in a Business Gets Targeted

Attackers go where money and access live. In order of frequency in reported incidents:

Finance and Accounts Payable. They move money and know the vendor list. Mattel lost $3 million to a spoofed vendor email in 2015.
C-suite executives. Pathé Cinema Group lost €19.2 million (~$22M) to a CEO-fraud wire request in 2018.
HR. They hold Social Security numbers, W-2s, and payroll-change authority.
IT administrators and developers. Their credentials open the entire environment. RSA Security was breached through a malicious Excel attachment sent to four low-profile staff in 2011.
Executive assistants and legal counsel. They route decisions on behalf of the executives attackers actually want to impersonate.
Third-party vendors and contractors show up in a lot of these cases. The Target breach is still the clearest example. A phishing email hit an HVAC contractor, credentials got reused, and that access was enough to move deeper into the network. Seventy million customer records later, the entry point still looks small.

That pattern hasn’t changed much, 65% of threat actor groups use spear phishing in their campaigns, and nearly every organization sees it at least once a year. It’s not edge-case activity. It’s the default way in.

What a Spear Phishing Email Actually Looks Like

Train teams to recognize four archetypes that account for the majority of business losses.

4.1 The fake CEO wire-transfer request

From: "Michael [CEO]" This email address is being protected from spambots. You need JavaScript enabled to view it. (note the zero in "c0mpany")

To: This email address is being protected from spambots. You need JavaScript enabled to view it.

Subject: Quick — need this done before 3 pm

Sarah, I'm in meetings all afternoon and can't take calls. We're finalizing the Henderson acquisition, and I need you to wire $187,450 to the account below today. Please treat as confidential — only me, you, and legal know at this point. I'll sign off on the paperwork tomorrow. Michael

Red flags hiding in plain sight: lookalike domain, artificial urgency, secrecy demand, request to bypass approval, and a reference to a real but private project pulled from a press release.

4.2 The fake Microsoft 365 login

A message comes in saying the password expires in 24 hours. Nothing unusual on the surface. The “Reset Now” link even looks right.

It lands on a cloned login page, same layout, same branding, sitting on a typo-squatted domain most people won’t notice. The user signs in, enters the MFA code, and thinks they’re done.

They’re not. The attacker is relaying everything in real time to the actual Microsoft login. By the time the page refreshes, the mailbox is already theirs.

4.3 The thread-hijacked vendor invoice

The attacker has already compromised a supplier's mailbox. The AP clerk has been emailing that supplier for weeks. The attacker inserts one new reply into the live thread: "Our bank has changed, please update remittance details — new ACH info attached." No spoof, no lookalike — the email comes from the real supplier's real mailbox.

4.4 The QR-code onboarding lure

A low-text email asks the recipient to scan a QR code to "complete benefits enrollment." URL filters never see the destination because the URL is embedded inside an image. Kimsuky used this technique in January 2026 campaigns against U.S. think tanks.

Twelve Red Flags to Train Teams On

AI-written spear phishing rarely contains grammar errors. Train staff on behavioral signals.

Sender:

Lookalike or homograph domain — rnicrosoft.com, y0urcompany.com, company-support.co.
Display-name spoof — "CEO Michael Smith" with a Gmail reply-to address.
First-time sender claiming an existing relationship.

Content: 4. Unusual urgency combined with a payment, credential, or data request. 5. Request to keep the matter confidential or bypass approval. 6. Reference to a real project or person, but slightly off in tone or timing. 7. Emotional manipulation — fear, guilt, or borrowed authority. 8. Asks for gift cards, cryptocurrency, or wire transfers.

Links and attachments: 9. Hover-mismatch — visible text does not match the actual URL. 10. Shortened or long opaque URLs (bit.ly, t.co, long query-string tokens). 11. Unexpected file types — .iso, .html, password-protected .zip, .docm. 12. A QR code in the body with no URL alternative.

Use this list in onboarding, in every quarterly phishing-simulation debrief, and on the desk-reference card given to finance and HR staff.

Why AI Is Making the Problem Harder in 2026

Three shifts in the last 18 months have rendered "look for typos" obsolete:

Generative AI removes the historic tell. Large language models produce flawless, culturally-appropriate copy in any language at scale. The grammar-error filter no longer works.
Voice cloning is commoditized. A 30-second LinkedIn video is enough to clone a CFO's voice. Attackers combine email spear phishing with a follow-up AI voice call: "I just emailed you — can you approve it?"
OSINT collection is automated. LLMs scrape LinkedIn, press releases, SEC filings, and breach corpora in minutes, producing a per-target dossier that used to take a human analyst a week.

Spear phishing surged more than 1,000% in October 2025. Proofpoint and Stripe's threat intelligence groups both documented, in September 2025, a wave of C-suite spear-phishing campaigns built around AI-written pretexts. Unit 42's March 2026 report on "UNK_InnerAmbush" detailed attackers delivering password-protected Google Drive archives to Middle Eastern governments — a technique designed specifically to evade automated URL scanners.

The defense implication: spear phishing protection in 2026 must be layered, technical, and behavioral — never reliant on user vigilance alone.

The 7-Layer Defense Playbook

No single control stops spear phishing. It’s always a chain. The layers below are what actually break that chain in a small or mid-sized environment.

Layer 1 — Email authentication

This is where most teams start, and where a lot of them stop too early.

You need all four in place:

SPF defines which servers are allowed to send for your domain
DKIM signs outbound mail so it can be verified
DMARC enforces it, and that means moving to p=reject once coverage is there
BIMI adds a visual trust signal with a verified logo

Running at p=none or quarantine leaves room for lookalike abuse. That gap gets used.

Most modern gateways will give you the reporting you need to move to enforcement without breaking mail flow.

Layer 2 — Email security gateway with AI detection

Authentication handles identity. It doesn’t handle intent.

That’s where a modern email security layer comes in, especially in front of or integrated with Microsoft 365 or Google Workspace.

What matters here:

Impersonation detection that goes beyond exact matches
URL rewriting with time-of-click checks
Attachment sandboxing
CDR to strip active content
The ability to pull messages back after delivery

This is what catches the messages that look legitimate on the surface.

Layer 3 — Phishing-resistant MFA and identity controls

SMS codes and push approvals don’t hold up the way they used to.

Attackers get around them with phishing kits and MFA fatigue. It’s happening every day.

Move high-risk users to something stronger:

FIDO2 keys or passkeys for executives, finance, and IT
Conditional access tied to device and location
Identity threat detection that flags things like impossible travel or token reuse

If identity breaks, everything behind it is exposed.

Layer 4 — Endpoint, XDR, and DNS filtering

Assume something gets through. It will.

What matters is what happens next.

EDR or XDR to catch the payload after a click
DNS filtering to stop connections to known malicious domains
DLP to limit what can leave if an account is compromised
Segmentation so one endpoint doesn’t open up the entire network

This layer is about containment, not prevention.

Layer 5 — Security awareness training and phishing simulations

Annual training doesn’t move behavior. Most people forget it within weeks.

Short, consistent training tends to stick. Three to five minutes at a time.

Then test it:

Run simulations every quarter, not once a year
Increase difficulty over time
Track who clicks, who reports, and how long it takes

Teams that stay with it usually see real change. The phish-prone rate drops, and more importantly, reporting goes up.

Layer 6 — Process controls

This is where a lot of the biggest losses happen, not because the tech failed, but because the process didn’t exist.

At minimum:

Verify out-of-band for any vendor banking change or wire above a threshold
Dual approval on larger transfers
Least privilege, reviewed regularly
Reduce exposed contact info where possible

If the process isn’t written and enforced, it won’t hold under pressure.

Layer 7 — Documented incident response

Something will slip through. The difference is how fast you respond.

This doesn’t need to be complex. It needs to be usable.

A short runbook anyone can find quickly
Clear ownership of who handles what
Insurance details and contacts already documented
At least one tabletop exercise a year that includes more than just IT

If people are figuring it out in the moment, it’s already too late.

The 90-Day Minimum Viable Security Stack

If you only get a few things done this quarter, make it these. Not everything moves the needle. These do.

#	Control	Why It Earns Its Slot
1	DMARC set to p=reject (with aligned SPF + DKIM)	Cuts off direct domain impersonation
2	FIDO2 / passkey MFA for executives, finance, and IT admins	Stops credential replay and MFA fatigue attacks
3	Modern cloud email security with impersonation protection	Picks up targeted lures that authentication alone misses
4	EDR/XDR on every endpoint	Limits damage when something gets through
5	DNS filtering	Blocks access to known malicious destinations
6	Quarterly phishing simulation + monthly micro-training	Reduces user-driven risk over time
7	Written verify-out-of-band policy for wires and vendor-bank changes	Removes the highest-loss scenario entirely

You can spread this out, but most teams don’t. It usually comes down to what can realistically get done in a quarter.

Start with visibility and identity. First month, get DMARC reporting in place and move toward enforcement. At the same time, identify your highest-risk users.

Next, lock down access. Roll out FIDO2 or passkeys to executives, finance, and admins. This is where most account takeovers stop.

Final stretch, focus on process. Put the verification policy in writing, run your first phishing simulation, and document how incidents actually get handled when something slips through.

Incident Response: What to Do If Someone Clicked

Speed decides whether a click becomes a near-miss or a headline. The first 60 minutes matter. Checklist illustrating incident response steps

Isolate the device. Disconnect from Wi-Fi and Ethernet; do not power off — volatile evidence is lost on shutdown.
Revoke sessions and reset credentials. Kill all active sessions in Microsoft 365 / Google Workspace; reset the user's password and force MFA re-enrollment.
Check for persistence. Look for new inbox rules, auto-forwarding or deleting messages, new OAuth app grants, and new MFA devices registered.
Hunt for lateral movement. Review sign-in logs for impossible travel and new device registrations.
Notify stakeholders. Legal, Finance (halt any pending wires immediately), the cyber-insurance carrier, and — if PII is involved — the compliance officer.
Preserve evidence. Export headers, logs, and the phishing email itself to an out-of-band location.
Report externally. File with the FBI Internet Crime Complaint Center at ic3.gov for BEC; report to CISA; notify the bank's fraud team. BEC wires reported within 72 hours have a meaningfully higher chance of recovery via the Financial Fraud Kill Chain.
Post-incident review. Update the runbook, the training, and the controls. An incident that doesn't change something is a wasted lesson.

Compliance, Cyber Insurance, and the Business Case

Spear phishing protection is also a regulatory and insurance requirement.

HIPAA, PCI-DSS, SOX, GLBA, GDPR, and state-level breach laws treat successful spear phishing as a reportable breach when it leads to exposure of protected data. Notification costs and fines often exceed the stolen funds themselves.
Cyber-insurance carriers now require enforced MFA, DMARC, EDR, and a documented security-awareness training program as a condition of renewal. Missing controls translate to denied claims, particularly under Social Engineering Fraud and Funds Transfer Fraud endorsements. For the full set of 2026 underwriting requirements, see the 2026 cyber insurance coverage checklist for businesses.
Customers and partners increasingly require SOC 2, CIS Controls v8, or NIST CSF alignment before signing. A visible anti-phishing program is table stakes.

The cost of a modern anti-phishing program — even for a 50-person business — is a rounding error next to the average single-incident loss.

Lessons From Real-World Incidents

Twelve years of incident reports concentrate on the same patterns. Knowing the patterns is half of stopping them.

Victim	Year	Method	Loss
Ubiquiti Networks	2015	Impersonation of outside entities in finance emails	$46.7 million wired
Pathé Cinema Group	2018	CEO-fraud wire request	€19.2 million (~$22M)
RSA Security	2011	Malicious Excel attachment to four employees	Backdoor installed; SecurID seed data stolen
Target Corp.	2013	Phishing of HVAC contractor → lateral movement	70 million customer records
Mattel	2015	Spoofed vendor email	$3 million
LA Superior Court	2016	Fake Dropbox link → credential theft	Account credentials used to launch further campaigns
Omaha commodities trader	2017	Impersonation of Chinese bank contact	$17.2 million wired
Puerto Rico IDC	2020	Spear phishing email	$2.6 million
Franklin, Massachusetts	2020	Spear phishing email	$522,000
John Podesta / DNC	2016	Credential harvesting page	National-security-scale data exposure

The pattern is consistent: a single email, sent to one person, after research. The cost is consistent too — routinely larger than the entire annual cybersecurity budget of a mid-market company. Three of the seven controls in section 8 — DMARC at p=reject, FIDO2 MFA, and a verify-out-of-band wire policy — would have stopped or contained every monetary case in this table.

Frequently Asked Questions

What Is the Most Effective Single Control Against Spear Phishing?

There isn’t one. If you’re forced to choose, a verify-out-of-band policy stops the biggest losses, wires, and vendor changes. But that doesn’t help when credentials get stolen. That’s where phishing-resistant MFA comes in. You need both sides covered.

What Is the Difference Between Phishing and Spear Phishing?

Phishing is volume. Same message, sent everywhere. Spear phishing slows down and targets one person or role. That extra effort is what makes it land.

What Is the Difference Between Deceptive Phishing and Spear Phishing?

Deceptive phishing leans on brand trust. Fake Microsoft alerts, bank notices, things people recognize. Spear phishing skips that and builds around the target instead. Different approach, same end goal.

What Is the Difference Between Spear Phishing and Whaling?

Whaling is just a narrower version of the same tactic. The target shifts to executives, the CEO, the CFO, board. Nothing else really changes.

What Is the Difference Between Spear Phishing and Business Email Compromise?

Think of BEC as the outcome. Money moves. Accounts get abused. Spear phishing is usually how the attacker gets there, either by impersonating someone or getting into their inbox first.

What Are Real Examples of Spear Phishing?

Ubiquiti lost $46.7M. Pathé dropped €19.2M in a CEO fraud case. Mattel wired $3M to a fake vendor. Even Target started with a phished HVAC contractor. Different setups, same entry point.

How Do You Spot a Spear Phishing Email?

You won’t catch it on spelling. Most of them read clean. Look at what it’s asking you to do. Urgent payment, credential access, and bypassing normal steps. Check the links. Check the sender. That’s where it usually breaks.

Is Spear Phishing Illegal?

Yes. It falls under wire fraud, computer fraud, and identity theft. In the U.S., these cases typically get handled at the federal level.

How Do You Report Spear Phishing?

Start internally. Use the reporting button or send it to your security team. If there’s money involved, escalate fast. Externally, it goes to ic3.gov and your bank’s fraud unit.

Can Spear Phishing Happen by Phone or Text?

All the time. Vishing, smishing, even QR-based attacks. The delivery changes, but the setup is the same, targeted, researched, and timed to catch someone off guard.

Is a Small Business Really a Spear Phishing Target?

Yes, and often an easier one. Fewer controls, faster approvals, less friction around payments. That combination is exactly what attackers look for.

Does Cyber Insurance Cover Spear Phishing Losses?

Sometimes, but you have to read the fine print. Coverage usually depends on specific endorsements for social engineering or funds transfer fraud. Without those, many claims get denied.