We use cookies on this website.

By clicking "Accept," you agree to the storage of cookies on your device to improve your browsing experience, analyze site usage, and contribute to our marketing efforts. See our privacy policy for more information.

Accept
Refuse
Cybersecurity

Spear phishing: detecting and protecting your business [2026 Guide]

Spear phishing is the leading cause of security breaches in businesses. Learn how to recognize these targeted attacks, train your teams, and strengthen your defenses to block them.

Spear phishing: detecting and protecting your business [2026 Guide]
Contents :
Example H2
Example H3
Example H4
Example H5
Example H6

What is spear phishing?

Spear phishing is a form of targeted phishing where the attacker personalizes their message for a specific person or group within a company. Unlike traditional phishing, which is sent out en masse with a generic message, spear phishing relies on information collected about the target: name, position, current projects, hierarchy, communication habits. The result is a highly credible email that is often undetectable by traditional spam filters.

According to the Verizon DBIR 2025, phishing remains the third most common initial access vector (16% of breaches), but its average cost is among the highest: $4.8 million per incident according to IBM (Cost of a Data Breach Report 2025). The IBM 2025 report also reveals that 16% of breaches now involve attackers using AI, mainly for phishing (37% of cases) and deepfake identity theft (35%).

Sources: Verizon DBIR 2025 — IBM Cost of a Data Breach Report 2025

How does a spear phishing attack work?

Phase 1: Recognition

The attacker collects information via LinkedIn, the company's website, social media, and sometimes previous data leaks. They identify decision-makers, reporting lines, and ongoing projects. The Verizon DBIR 2025 notes that third-party involvement in breaches has doubled in one year (30% of breaches), providing attackers with even more data to personalize their messages.

Phase 2: Social engineering

The email is written to imitate a trusted sender: a supervisor (CEO fraud), a supplier, or a partner. The message creates a sense of urgency or legitimacy and encourages the recipient to open an attachment, click on a link, or transfer funds. In 2025, generative AI makes these messages grammatically perfect and contextualized, eliminating the classic clues (spelling mistakes, awkward phrasing).

Phase 3: Operation

If the target clicks, several scenarios are triggered: execution of a malicious macro in an Office document, downloading of malware via PowerShell, redirection to a fake login page to steal credentials. The Verizon DBIR 2025 indicates that 88% of attacks against web applications involve stolen credentials. This is where workstation hardening makes a difference: a hardened workstation blocks the majority of these exploitation vectors.

Source: Verizon DBIR 2025

Find our solutions for protecting workstations and mobile devices

Why hardening is your best technical defense against spear phishing

User awareness is necessary but insufficient. According to the Verizon DBIR 2025, the average click-through rate on phishing simulations remains around 1.5% (median), and the report states that "the failure rate is not affected by training." In other words, even the best-trained employees end up clicking. The question is not IF someone will click, but WHEN.

This is why technical protection of the workstation is essential. Hardening blocks the exploitation chain after the click: Office macros from the Internet are blocked, PowerShell is in Constrained Language Mode, ASR (Attack Surface Reduction) rules prevent untrusted files from running, and the Print Spooler is disabled on workstations that do not print. Even if the user clicks, malware cannot run on a hardened workstation.

Source: Verizon DBIR 2025

If you would like to learn more, check out the complete guide to Windows hardening.

5 steps to protect your business from spear phishing

1. Hardening workstations

Block unsigned macros, restrict PowerShell, enable ASR rules, disable unnecessary services. This is the most effective measure because it neutralizes exploitation even when human prevention fails. Ransomware, often triggered by a spear phishing email, now appears in 44% of breaches according to the Verizon DBIR 2025, up from 32% the previous year.

Source: Verizon DBIR 2025

2. Deploy an EDR (Endpoint Detection and Response)

EDR detects suspicious post-click behavior and can automatically isolate a compromised workstation. The IBM 2025 report shows that organizations using AI and automation in their security operations saved an average of $1.9 million per incident and reduced the breach lifecycle by 80 days.

Source: IBM Cost of a Data Breach Report 2025

3. Filter emails upstream

Advanced filtering solutions (Microsoft Defender for Office 365, Proofpoint, Vade Secure) analyze links and attachments in real time and detect identity theft attempts (DMARC, DKIM, SPF).

4. Raise awareness and test regularly

Quarterly phishing simulation campaigns measure team resilience. While click rates are impossible to reduce, reporting rates can be improved: the Verizon DBIR 2025 notes that organizations investing in regular training see a reporting rate four times higher. Every email reported is a free security alert.

Discover our expertise in auditing, pentesting, and corporate phishing campaigns.

5. Implement multi-factor authentication (MFA)

Even if credentials are stolen via a phishing page, MFA prevents attackers from accessing accounts. Microsoft reports that MFA blocks more than 99% of password attacks. However, beware of MFA bypass techniques (prompt bombing, token theft) that are gaining ground: the 2025 DBIR notes that 14% of incidents involve prompt bombing.

Sources: Microsoft Digital Defense Report 2024 — Verizon DBIR 2025

Frequently asked questions about spear phishing

What is the difference between phishing and spear phishing?

Phishing is a mass attack involving a generic message sent to thousands of recipients. Spear phishing is a targeted attack: the attacker personalizes their message using specific information about the victim (name, position, current projects, hierarchy). Spear phishing is much more difficult to detect and more costly: $4.8 million per incident according to IBM 2025.

How can you recognize a spear phishing email?

Key indicators: a slightly modified sender address (e.g., nom-prenom@entreprlse.com instead of company.com), an unusual sense of urgency, a request to transfer or share login details, or an unexpected attachment. Please note: with generative AI, spelling mistakes have disappeared from spear phishing emails.

How can you protect your business from spear phishing?

Five priority measures: harden workstations (block macros, restrict PowerShell), deploy EDR to detect post-click behavior, filter emails upstream (DMARC, DKIM, SPF), raise awareness and test employees through quarterly simulations, and deploy MFA on all critical accounts.

Is employee training enough to combat spear phishing?

No. According to the Verizon DBIR 2025, the average click rate on phishing simulations remains around 1.5%, and this rate is not significantly reduced by training. Awareness is necessary but insufficient. This is why technicalhardening of workstations is essential: it blocks exploitation even when an employee clicks.

What should you do if an employee clicks on a spear phishing link?

Immediately isolate the workstation from the network, change compromised credentials, alert the IT team or security provider, and check connection logs to detect lateral movement. If EDR is deployed, it can automatically isolate the workstation. Document the incident for the NIS2 report if the company is affected.

Our latest articles

See more
Cybersecurity

Phishing in 2025: Why 82% of businesses will be phished this year (and how to avoid being phished)

Think your employees will never click on a phishing scam because you've "trained" them? 32% will click anyway, and this figure rises to 45% under stress or at the end of the day. Attackers no longer make spelling mistakes, they have your logo, your graphic charter, and information about your actual projects. A single click = €275k in average costs, 287 days to recover if it's ransomware, and 60% of SMEs affected close down within 6 months. We explain why blaming users is absurd, and which technical protections really work.
February 12, 2026
ModernWork
Cybersecurity
Data & AI

Microsoft Purview: The Complete Data Governance Solution for the Multicloud Era

Your teams spend 60% of their time looking for the right data, your CIO doesn't know where customer information is stored, and the next RGPD audit has you sweating. Microsoft Purview promises to solve these problems by unifying cataloging, security and compliance in a single platform. But is this really the silver bullet for your context, or a vendor lock-in trap in disguise?
December 2, 2025
Data & AI
ModernWork

Microsoft Copilot: Artificial Intelligence that Really Transforms Business Productivity (or Not)

Copilot at €30/month per head: strategic investment or €100k wasted on a tool that nobody uses? 70% of IT Departments buy without defined use cases, train their teams poorly, and discover 6 months later that a third of the licenses are never activated. We tell you how to calculate whether it's worth it BEFORE you sign, and which 5 use cases really pay off.
December 2, 2025