Spear PhishingScam Prevention Tips for Consumers & Merchants

Fraud Isn’t Personal… but Spear Phishing Might as Well Be.

Most of the time, when a fraudster decides to target a business, they’re not going after you — at least, not you in particular.

For many bad actors, illegal activity is a numbers game. Send enough phishing emails, test enough card numbers, or install enough card skimmers, and you’re likely to break into at least one account, even if the odds are slim.

Some sophisticated scammers, however, take a different approach. Instead of taking a “spray and pray” approach, they identify one or more high-value targets — like eCommerce merchants — and then launch highly personalized attacks aimed at defeating the target’s known vulnerabilities. In these so-called spear phishing attacks, bad actors really are out to get you, specifically.

What is Spear Phishing?

Spear Phishing

[noun]/spēr • fiSH • iNG/

Spear phishing is a targeted version of phishing. Attackers focus on specific individuals or organizations, typically through misleading emails. The goal is to obtain confidential information, such as login credentials, or plant malware on the victim's device.

Some phishing tactics can be conducted as mass campaigns. The scammer casts a wide net by sending as many messages as possible, hoping to catch a number of “phish.” The rate of success is fairly low, but at least a few people will probably fall for it.

In contrast, spear phishers don’t attack at random. They invest time researching their targets, tailoring their deceptive messages to resemble communications from known and trusted sources. This makes the target much more likely to fall for the trick.

Scammers craft emails designed to trick the recipient into clicking on malicious links or attachments. Once the person falls for the bait, the assailant can capture the legitimate user's details and infiltrate a system without detection.

	Untargeted Phishing	Spear Phishing
Target	A broad range of potential victims	Specific individuals
Objective	Gather data like passwords or card numbers from anyone who falls for the scam	Extract sensitive details, such as login information
Focus	Generalized email content, often with generic greetings	Emails are meticulously tailored using information specific to the target
Purpose	Gain broad range of data from multiple victims, though each might be of lower individual value	High-value information from a single source to maximize impact of each attack

How Do Spear Phishing Attacks Work?

Spear phishing attacks rely on a blend of research, deception, and social engineering to effectively target specific individuals or organizations. Here's a breakdown of how these attacks generally work:

Common Spear Phishing Attack Vectors

Spear phishing attacks target both individuals and businesses.

In attacks aimed at individuals, fraudsters impersonate trusted entities like banks or renowned brands like Amazon. They send deceptive messages like “transaction confirmations” or “shipping notices.” In more business-focused attacks, a scammer may target a few employees, mimicking a superior and urging them to transfer funds or disclose sensitive information.

Here are some prevalent spear phishing methods:

Knowing how you might be targeted is a great first step toward preparing an effective fraud prevention strategy.

How Big of a Threat is Spear Phishing? 2024-2025 Statistics

Only about 1 in 1,000 phishing emails sent are an example of spear phishing. But, although spear phishing attacks are rare, the highly targeted nature of these attacks mean that they are much more likely to succeed.

In a sense, spear phishing can be thought of as a rare but highly deadly disease, like the Black Death. Some businesses, especially smaller ones, are unlikely to ever encounter a spear phishing attack. For those unlucky enough to be ensnared in an attack, however, the consequences can be dire.

Business email compromise (BEC) or “CEO fraud” scams, for example, are a type of spear phishing attack in which fraudsters embed themselves in an organization, masquerade as a top executive, and gain the trust of rank-and-file employees. These sophisticated attacks can lead to millions of dollars in losses.

To make matters worse, bad actors often reserve spear phishing campaigns for the most valuable targets: businesses.

Unlike consumers, who may have five or six figures at stake (at most), corporate treasuries routinely hold millions or even hundreds of millions of dollars. This means that a single successful attack can yield a life-changing windfall for an attacker — and a life-changing loss for the targeted business.

Spear Phishing Examples: Case Studies of High-Profile Spear Phishing Attacks

Given the relative rarity of spear phishing attacks, it’s tempting to think that you can mark yourself safe from this form of fraud by default. But, a cavalier attitude, no matter how uncommon these attacks are, is going to leave you vulnerable.

Below, I’ve highlighted a few high-profile spear phishing cases so that you can understand the tactics and technical vectors behind modern scams.

In February 2024, Change Healthcare, a subsidiary of UnitedHealth Group, suffered a catastrophic breach that paralyzed prescription processing nationwide. Here, a Russia-linked ransomware-as-a-service group named ALPHV/BlackCat used compromised credentials to access a Citrix portal.

Once inside, the fraudsters seized the Protected Health Information (PHI) of millions of customers. Change Healthcare was forced to pay a $22 million ransom to the cybercriminal group to restore access to claims processing, pharmacy transactions, and other workflows for providers.

Between 2013 and 2015, a Lithuanian man named Evaldas Rimasauskas successfully stole over $100 million from tech giants such as Facebook and Google.

The scam was sophisticated and targeted. Rimasauskas registered a company in Latvia with the same name as a legitimate Asian hardware manufacturer, Quanta Computer, and sent specific, convincing spear phishing emails with fake invoices to the companies’ accounts payable teams. By conducting deep research on the companies’ vendor relationships, he bypassed scrutiny and back-channelling.

The takeaway for merchants? Never process a change in vendor banking details based solely on an email request. Also, use multiple established lines of communication to verify the change with the vendor before proceeding.

In late 2024, threat actors began abusing legitimate APIs from trusted platforms like DocuSign to bypass email filters. By creating authentic accounts on these platforms, attackers could send invoices impersonating brands like Norton and PayPal that came from actual docusign.net domains.

The prevalence of these spoofing attacks means that merchants should not blindly trust emails that appear to come from reputable service providers. Instead, recipients should always independently verify the content inside the email before taking any action.

Sophisticated threat actors, such as the Russian state-sponsored Star Blizzard cyberwarfare group, have evolved beyond simple spear phishing emails. The group exploits channels that were historically ignored by scammers, such as QR codes.

In late 2024, the group was accused of sending PDF attachments containing malicious QR codes that, when scanned, directed targets to WhatsApp or mobile browsers to complete a login process. By moving the attack from a protected desktop email environment to a less-secure personal mobile device, attackers bypass corporate firewalls, highlighting the need for security awareness that extends to every department and every communication channel.

Spear Phishing Attacks That Target Your Business

When fraudsters turn their sights on your internal operations, they are typically looking to access sensitive financial and other proprietary data. Common spear phishing attacks that target your business include:

Common “red flags” suggesting that your business might’ve been targeted for a spear phishing attack include:

Spear Phishing Attacks That Target Your Customers

Sometimes, you aren’t the mark; you’re the lure instead. In spear phishing attacks that target your customers, bad actors spoof your brand to trick your loyal customers, leaving you to clean up the reputational mess. Tactics and harms include:

Common “red flags” suggesting that your customers might’ve been targeted for a spear phishing attack include:

How to Protect Your Business Against Spear Phishing

Spear phishing relies on customized social engineering rather than technical loopholes. So, standard firewalls are often insufficient.

To protect your business, you’ll need a multilayered defense strategy that addresses both the human element and the technical infrastructure so that it becomes significantly harder for an attacker to leverage the personal information they have gathered. I recommend that you:

Multi-factor authentication ensures that an attacker cannot access the account without a second factor, even if they have compromised a password. However, not all MFA is created equal. SMS-based codes, for example, are vulnerable to  smishing and SIM swapping attacks, so phishing-resistant second factors like hardware tokens, biometric passkeys, or authentication app-based security codes are generally considered safer.

Mandate MFA for every entry point, including email and third-party vendor portals. You can even consider extending it to customer accounts to reduce their exposure to account takeover fraud.

Establish strict verification protocols. If you get a request to change payment info via email, never verify it by replying to that email or calling the number in the signature. Instead, initiate an alternate communication channel. For example, by calling the contact using a known number already on file, or set up a video call.

For high-value wire transfers, require multiple layers of review, and have separate employees on different teams review and approve the transaction before funds are released.

Standard spam filters often miss spear phishing because these emails lack malicious payloads and seemingly come from reputable domains. To prevent attackers from spoofing your domain to trick your employees or customers, implement protocols, specifically DMARC, SPF, and DKIM.

You can also consider using machine learning-enabled email security solutions that analyze communication patterns to flag anomalies. Or, tools that use sandboxing to inspect attachments in a contained environment before they reach a live recipient’s inbox.

To harden your team against spear phishing, shift to role-specific simulations. For example, test your finance team with fake but highly believable wire transfer requests from your “CFO,” or expose your customer service team to emails from “customers” demanding refunds via malicious links.

The goal isn’t to deceive your employees, but to build muscle memory. Focus on positive reinforcement for reporting suspicious activity and refrain from punishing those who click during simulations so that your team feels comfortable flagging anomalies.

Spear phishers need personal data to launch their attacks. To limit the ammunition they can use against you, conduct an audit of your digital footprint by taking an inventory of information that’s publicly available about your business. While transparency can help build trust with legitimate customers, exposing information that could be considered proprietary could provide bad actors with hype-specific details they can use against you.

On that note, train employees on social media privacy. Attackers often target new hires (who are less likely to know protocols), or executives posting about business travel, since this gives bad actors a window for “emergency” scams.

Attackers often register domains that look visually identical to yours to attack your customers. You can combat this by using domain monitoring services that alert you to newly registered lookalike domains. Also, set up Google Alerts for your brand name combined with terms like “scam,” “fraud,” “phishing,” or “spear phishing” to catch malicious campaigns early.

If you detect a fraudulent site, report it immediately to the registrar and the hosting provider to have it taken down before it gains traction.

When an employee realizes they may have been phished, every second counts. That’s why you need to eliminate the hesitation caused by fear of discipline by establishing a clear, blame-free reporting path.

Create a “Report Phishing” button in your email client or an open dedicated Slack channel for immediate reporting. Pre-draft canned communication templates that you can use to notify customers of impersonation attempts so you aren’t writing legal copy while under fire.

Adhere to the Principle of Least Privilege (PoLP). A marketing intern, for example, does not need admin access to the payment gateway. A developer doesn’t need live access to customer credit card data.

By segmenting your network and auditing permissions regularly, you ensure that a single compromised credential can’t grant owner-level access to your entire business.

What to Do If Your Business Is Targeted or Compromised

The fallout from a spear phishing attack can be devastating, but panicking will only add fuel to the fire.

If you detect a spear phishing campaign targeting your staff or your customers, you need a calm, structured response plan to mitigate financial loss and reputational damage.

If a suspicious message lands in your inbox, stop immediately. Don’t reply, click, or even forward the email normally; this can propagate malicious headers or links.

Instead, report it to your IT or security lead via a secure, secondary channel like Slack or an in-person conversation. Preserve the evidence by taking screenshots and saving email headers, which can be useful when the time comes to conduct an internal investigation.

If the attacker impersonated an internal executive, warn the target immediately so they know their identity is being spoofed. As a precautionary measure, immediately reset passwords for any account that may have been targeted and force a logout of all active sessions.

If a link was clicked or credentials were entered, pivot to containment as fast as you can. Isolate the affected system by disconnecting the device from the network to prevent contamination, and revoke the compromised credentials immediately.

Assess the scope of the breach. Determine exactly what data the attacker accessed (e.g. customer lists, payment tokens, credit card information, etc.) and for how long.

If the breach involves financial accounts, notify your acquirer and your payment processor immediately to freeze funds. If it involves customer data, document every step and timestamp to satisfy insurance claims and potential law enforcement investigations.

To rebuild trust in the aftermath of a spear phishing attack, you’ll need to be transparent with your staff, vendors, and customers.

Alert all staff to the specific tactics used in the breach to prevent a repeat attack and conduct an immediate security refresher. Externally, if customer data was touched, you’ll need to issue notifications in compliance with data privacy laws. If your brand was simply impersonated, post a clear, public warning on your site and social channels advising customers on what not to click.

Long-term, work with legal counsel to navigate liability. Conduct a post-mortem to close the security gaps that allowed the breach, and use the incident as a catalyst to upgrade your security culture.

Take the Next Step

Guarding against spear phishing is an ongoing task. While the tactics cybercriminals use may evolve, remaining vigilant, informed, and proactive in your digital practices can go a long way in keeping you safe. Remember, always prioritize your digital safety and trust your instincts. 

Are you a business owner looking to elevate your fraud prevention efforts? Chargebacks911® can help! Click below for your FREE ROI analysis.

Next Chapter

Whaling

Read More