We use cookies on this website.

By clicking "Accept," you agree to the storage of cookies on your device to improve your browsing experience, analyze site usage, and contribute to our marketing efforts. See our privacy policy for more information.

Cybersecurity

Spear phishing: detecting and protecting your business [2026 Guide]

Spear phishing is the leading cause of security breaches in businesses. Learn how to recognize these targeted attacks, train your teams, and strengthen your defenses to block them.

Spear phishing: detecting and protecting your business [2026 Guide]

What is spear phishing?

Spear phishing is a form of targeted phishing where the attacker personalizes their message for a specific person or group within a company. Unlike traditional phishing, which is sent out en masse with a generic message, spear phishing relies on information collected about the target: name, position, current projects, hierarchy, communication habits. The result is a highly credible email that is often undetectable by traditional spam filters.

According to the Verizon DBIR 2025, phishing remains the third most common initial access vector (16% of breaches), but its average cost is among the highest: $4.8 million per incident according to IBM (Cost of a Data Breach Report 2025). The IBM 2025 report also reveals that 16% of breaches now involve attackers using AI, mainly for phishing (37% of cases) and deepfake identity theft (35%).

Sources: Verizon DBIR 2025 — IBM Cost of a Data Breach Report 2025

How does a spear phishing attack work?

Phase 1: Recognition

The attacker collects information via LinkedIn, the company's website, social media, and sometimes previous data leaks. They identify decision-makers, reporting lines, and ongoing projects. The Verizon DBIR 2025 notes that third-party involvement in breaches has doubled in one year (30% of breaches), providing attackers with even more data to personalize their messages.

Phase 2: Social engineering

The email is written to imitate a trusted sender: a supervisor (CEO fraud), a supplier, or a partner. The message creates a sense of urgency or legitimacy and encourages the recipient to open an attachment, click on a link, or transfer funds. In 2025, generative AI makes these messages grammatically perfect and contextualized, eliminating the classic clues (spelling mistakes, awkward phrasing).

Phase 3: Operation

If the target clicks, several scenarios are triggered: execution of a malicious macro in an Office document, downloading of malware via PowerShell, redirection to a fake login page to steal credentials. The Verizon DBIR 2025 indicates that 88% of attacks against web applications involve stolen credentials. This is where workstation hardening makes a difference: a hardened workstation blocks the majority of these exploitation vectors.

Source: Verizon DBIR 2025

Find our solutions for protecting workstations and mobile devices

How can you detect a spear phishing attack?

Detecting a spear phishing email is difficult because it is designed to look like a legitimate message. Here are the warning signs to watch out for:

The sender's address: check the exact domain, not just the name displayed. An email from "itsystemes" is not an email from IT Systems. Similar domains (typosquatting) are the first indicator.

The sense of urgency: "Please confirm this transfer before 2 p.m.," "Your account will be suspended in one hour." Spear phishing systematically plays on urgency to bypass critical thinking.

Unexpected attachments: a .docm (macro), .zip, .iso, or .html file attached to an unsolicited email is a major red flag, even if the sender appears to be known.

Suspicious links: hover over them without clicking. The displayed URL and the actual URL (in the status bar) must match the expected domain.

Unusual requests: Any request to change bank details, passwords, or transfer sensitive files must be verified through another channel (phone, in person).

When in doubt, the right thing to do is to report the email to your IT team rather than trying to determine its legitimacy on your own. The Verizon DBIR 2025 shows that organizations investing in reporting training see a detection rate four times higher.

Why hardening is your best technical defense against spear phishing

User awareness is necessary but insufficient. According to the Verizon DBIR 2025, the average click-through rate on phishing simulations remains around 1.5% (median), and the report states that "the failure rate is not affected by training." In other words, even the best-trained employees end up clicking. The question is not IF someone will click, but WHEN.

This is why technical protection of the workstation is essential. Hardening blocks the exploitation chain after the click: Office macros from the Internet are blocked, PowerShell is in Constrained Language Mode, ASR (Attack Surface Reduction) rules prevent untrusted files from running, and the Print Spooler is disabled on workstations that do not print. Even if the user clicks, malware cannot run on a hardened workstation.

Source: Verizon DBIR 2025

If you would like to learn more, check out the complete guide to Windows hardening.

5 steps to protect your business from spear phishing

Protection against spear phishing relies on a multi-layered approach: technical hardening of workstations, email filtering, behavioral detection, and user awareness. No single anti-phishing solution is sufficient.

1. Hardening workstations

Block unsigned macros, restrict PowerShell, enable ASR rules, disable unnecessary services. This is the most effective measure because it neutralizes exploitation even when human prevention fails. Ransomware, often triggered by a spear phishing email, now appears in 44% of breaches according to the Verizon DBIR 2025, up from 32% the previous year.

Source: Verizon DBIR 2025

2. Deploy an EDR (Endpoint Detection and Response)

EDR detects suspicious post-click behavior and can automatically isolate a compromised workstation. The IBM 2025 report shows that organizations using AI and automation in their security operations saved an average of $1.9 million per incident and reduced the breach lifecycle by 80 days.

Source: IBM Cost of a Data Breach Report 2025

3. Filter emails upstream

Advanced filtering solutions (Microsoft Defender for Office 365, Proofpoint, Vade Secure) analyze links and attachments in real time and detect identity theft attempts (DMARC, DKIM, SPF).

4. Raise awareness and test regularly

Quarterly phishing simulation campaigns measure team resilience. While click rates are impossible to reduce, reporting rates can be improved: the Verizon DBIR 2025 notes that organizations investing in regular training see a reporting rate four times higher. Every email reported is a free security alert.

Discover our expertise in auditing, pentesting, and corporate phishing campaigns.

5. Implement multi-factor authentication (MFA)

Even if credentials are stolen via a phishing page, MFA prevents attackers from accessing accounts. Microsoft reports that MFA blocks more than 99% of password attacks. However, beware of MFA bypass techniques (prompt bombing, token theft) that are gaining ground: the 2025 DBIR notes that 14% of incidents involve prompt bombing.

Sources: Microsoft Digital Defense Report 2024 — Verizon DBIR 2025

Frequently asked questions about spear phishing

What is the difference between phishing and spear phishing?

Phishing is a mass attack involving a generic message sent to thousands of recipients. Spear phishing is a targeted attack: the attacker personalizes the message using specific information about the victim (name, job title, current projects, organizational hierarchy). Spear phishing is much harder to detect and more costly: $4.8 million per incident, according to IBM 2025.

How can you spot a spear-phishing email?

Key indicators: a slightly altered sender address (e.g., nom-prenom@entreprlse.com instead of company.com), an unusual sense of urgency, a request for a wire transfer or to share login credentials, or an unexpected attachment. Note: With generative AI, spelling mistakes have disappeared from spear-phishing emails.

How can you protect your business from spear phishing?

Five priority measures: harden workstations (block macros, restrict PowerShell), deploy an EDR solution to detect post-click behavior, filter emails at the source (DMARC, DKIM, SPF), raise employee awareness and test them through quarterly simulations, and implement MFA for all critical accounts.

How can I tell if my company is vulnerable to spear phishing?

An IT security audit assesses both the technical resilience of your workstations (macros, PowerShell, ASR rules) and human vulnerability through simulation campaigns. This is the first step in identifying vulnerabilities exploited by spear phishing.

Is employee training enough to combat spear phishing?

No. According to the 2025 Verizon DBIR, the average click-through rate for phishing simulations remains around 1.5%, and training does not significantly reduce this rate. Awareness is necessary but not sufficient. That is why technical hardening of workstations is essential: it prevents exploitation even when an employee clicks on a link.

What should you do if an employee clicks on a spear-phishing link?

Immediately isolate the workstation from the network, change compromised credentials, alert the IT team or security provider, and check connection logs to detect lateral movement. If EDR is deployed, it can automatically isolate the workstation. Document the incident for the NIS2 report if the company is affected.

Our latest articles

See more
software
Development & automation

"I'm afraid to install software"

In 1996, I took my first steps in computing on an Excel spreadsheet where I filed cheat codes for my favorite video games. 🕹️Le the beginning of a passion for office tools (to each his own 😅 ). There were 3,000 machines connected to the internet! 😶 But what happened next?
July 3, 2026
fishing
Cybersecurity

Phishing 2026: Definition, Examples, and Protection for Small and Medium-Sized Businesses (Comprehensive Guide)

Spear phishing, BEC, voice deepfakes: why training alone isn’t enough, the true cost of an incident (€275,000), and the security measures that will work in 2026
June 26, 2026
backup-vs-retention
Cloud & infrastructure

Comparing backup VS retention

Backup VS retention: here's the match everyone's been waiting for!!!! 🥊 (okai not at all but I needed a catchy title..🤫)
July 3, 2026