Targeted attacks

Spear phishing and business email compromise (BEC)

Spear phishing is targeted, researched deception aimed at a specific person or role, and it is the engine behind business email compromise (BEC) - the fraud responsible for some of the costliest losses in cybercrime. This guide explains how attackers research their targets, the main BEC variants such as CEO fraud and invoice fraud, why email filters so often miss these messages, and the layered defenses that actually work.

8 min readUpdated 2026-06-07

What is spear phishing?

Spear phishing is a targeted form of phishing aimed at a specific individual, team, or organization, using researched details to make the message believable. Where bulk phishing is a wide net cast at thousands of strangers with a generic lure, spear phishing is a single, carefully crafted message that references your real colleagues, projects, suppliers, and language. That personalization is exactly what makes it dangerous: the message looks like normal business.

The difference is one of effort and intent. Bulk campaigns rely on volume - even a tiny success rate pays off across a million sends. Spear phishing relies on relevance. An attacker may spend hours studying one finance clerk before sending a single email, because that one email can authorize a five- or six-figure transfer. For a broader map of how spear phishing sits alongside smishing, vishing, and other variants, see our overview of the different types of phishing.

How attackers research their targets

Spear phishing begins long before any email is sent. Attackers build a profile of the organization and the specific people who can move money or data, using open-source intelligence (OSINT) - information that is publicly available and perfectly legal to read. The goal is to understand who reports to whom, who approves payments, when key people travel, and how internal messages normally sound.

  • LinkedIn and corporate websites reveal names, job titles, reporting lines, and who holds finance, payroll, or procurement authority.
  • Press releases, news, and social media expose acquisitions, new suppliers, and the timing of big projects - ideal cover stories for an urgent payment.
  • Out-of-office replies and conference posts signal when an executive is travelling and harder to reach for a quick verbal check.
  • Leaked credentials and past data breaches provide email formats, passwords to reuse, and sometimes direct access to a real inbox.
  • Public invoices, tender documents, and supplier logos help attackers mimic the exact look of a legitimate billing email.

With this picture, the attacker can write a message that fits the target's world. They know the CFO's name, the supplier you actually use, and the phrasing your CEO favors. Increasingly, this research and the drafting itself are accelerated by AI, which makes flawless, localized messages cheap to produce at scale.

Free phishing campaign

Test your employees with one free phishing campaign and see the results for yourself.

Run a focused pilot, measure clicks and reports, and review the training outcomes before rollout.

No credit card required.

Request Access

What is business email compromise (BEC)?

Business email compromise (BEC) is a fraud in which an attacker impersonates an executive, employee, vendor, or partner - often using a compromised or look-alike account - to trick staff into transferring money or disclosing sensitive data. BEC is where spear phishing turns into financial loss. Instead of stealing a password, the attacker's goal is to get a human being to authorize a payment to the wrong account.

BEC is consistently among the most damaging categories of cybercrime by financial loss. Crucially, many BEC emails contain no malware and no malicious link at all - just text. That is what makes them so effective against technical controls and so dependent on human verification. According to industry incident-response reporting, average fraudulent wire requests in BEC cases run well into the tens of thousands, and cumulative losses are measured in the billions.

The main BEC variants

BEC is not a single trick but a family of related scams. Recognizing the common patterns helps employees feel the wrongness of a request even when the email looks perfect.

CEO fraud

The attacker poses as the CEO or another senior executive and pressures a finance employee into an urgent, confidential wire transfer - often framed as a secret acquisition or a deal that must close today. Authority plus urgency plus secrecy is the classic CEO fraud signature, designed to discourage the employee from checking with anyone.

Fake invoice and vendor impersonation

In invoice fraud, the attacker impersonates a real supplier and sends a genuine-looking invoice or a 'we've changed our bank details' notice, redirecting a legitimate payment to a mule account. Vendor and supplier impersonation is especially dangerous because the payment itself is expected - only the destination has been quietly swapped.

Payroll diversion and data theft

  • Payroll diversion: posing as an employee, the attacker asks HR to update their salary bank details to an account the attacker controls.
  • Personal-data theft: a request to send tax forms, payroll lists, or employee records, used for identity fraud or follow-on attacks.
  • Gift-card scams: a smaller, fast-payoff variant where 'the boss' urgently needs gift cards bought and the codes sent over.

Why email filters often miss these attacks

Email security tools are tuned to catch volume, known-bad links, and malicious attachments. Spear phishing and BEC are deliberately engineered to present none of those signals. A single, clean, text-only email from a plausible address rarely trips automated defenses.

  • No malware or links: many BEC messages are pure text, so there is nothing for sandboxing or URL scanners to detonate.
  • Look-alike and compromised domains: attackers register domains that differ by one character, or send from a genuinely hacked partner mailbox that passes authentication.
  • Low volume, high tailoring: a campaign of one message to one person never builds the reputation signals that reputation-based filters depend on.
  • Authentication gaps: where SPF, DKIM, and DMARC are missing or set to 'none', spoofed sender domains pass through unchallenged.
  • AI-written fluency: well-written, locally idiomatic messages remove the spelling and grammar tells that older filters relied on.

A realistic European scenario

Consider a mid-sized manufacturer in Slovakia. From LinkedIn, an attacker identifies the CFO and a junior accountant in the finance team, and from a press release learns the company is finalizing a contract with a German supplier. The attacker registers a domain that differs from the supplier's by a single letter.

Mid-week, the accountant receives a polished email in fluent Slovak, apparently from the supplier's billing contact: the bank account for an expected invoice has changed, please update it for this payment. The branding, the invoice number, and the amount all match a real, pending order. An hour later a follow-up arrives, seemingly from the CFO's address - a near-perfect look-alike - saying 'yes, I approved this, please process it before end of day, I'm in meetings.' Every individual detail checks out. The transfer leaves before anyone speaks out loud.

How to defend against spear phishing and BEC

Because these attacks target judgment rather than software, the strongest defense is layered: a process that makes fraud hard to complete, technical controls that raise the cost of impersonation, and people trained to pause on the exact requests attackers exploit. For a full program, see our guidance on how to prevent phishing.

  1. Out-of-band verification: confirm any payment or bank-detail change using a known, independent channel - a phone number from your records, never one supplied in the message.
  2. Dual approval for payments: require two authorized people to release transfers above a threshold, and a documented approval step for any change to supplier bank details.
  3. Make 'pause and verify' a norm: give finance and HR explicit permission to slow down urgent or secretive requests, even from senior leaders, without fear of looking difficult.
  4. Harden email authentication: deploy SPF, DKIM, and an enforcing DMARC policy, flag external and look-alike senders, and protect executive mailboxes with phishing-resistant passkeys.
  5. Train against real lures: ongoing awareness training and realistic, localized phishing simulations - using platforms such as PhishGun - build measurable resilience and reinforce the verification habit, which also supports NIS2 and DORA staff-training obligations.

Employees are the control that catches the BEC email a filter cannot. Treating them as the solution - equipped with a clear verification process and an easy way to report suspicious messages - turns your whole organization into a sensor network. Many of these targeted attacks also borrow tactics from modern phishing techniques, so keep training current as the tradecraft evolves.

Frequently asked questions

How is spear phishing different from regular phishing?

Regular (bulk) phishing sends a generic lure to many people at once. Spear phishing targets a specific person or role using researched details - real names, suppliers, and projects - which makes it far more convincing and much harder to spot.

What is the difference between spear phishing and BEC?

Spear phishing is the targeted-attack technique; business email compromise (BEC) is one of its most damaging outcomes. BEC uses spear-phishing tactics to impersonate an executive, employee, or vendor and trick staff into transferring money or sharing sensitive data.

Why don't email filters stop BEC?

Many BEC emails contain no malware and no links - just plausible text from a look-alike or compromised account. There is nothing for antivirus or URL scanners to flag, so the only reliable catch is a human verification step.

What is the single most effective defense against invoice and CEO fraud?

Out-of-band verification combined with dual approval. Confirming any payment or bank-detail change through a known, independent channel - and requiring a second authorized approver - stops the fraud even when the email looks perfect.

Related articles

Attack types

Types of phishing: a complete taxonomy

Understanding the types of phishing is the first step to defending against them. From bulk email phishing to smishing, vishing and quishing, this guide maps the main phishing types, how each one works, the lures attackers favour in Europe, and the tell-tale sign that gives each away.

9 min readRead article
For organizations

How to prevent phishing: a layered defense guide for organizations

No single control stops phishing, the leading initial-access vector behind breaches in Europe. Effective phishing prevention layers technical filtering, identity hardening, continuous awareness training, and a fast reporting culture so threats are caught before they spread. This guide shows IT and security leaders how to build anti-phishing defense that is both practical and measurable.

8 min readRead article
Advanced techniques

Modern phishing techniques: how attackers bypass MFA and outsmart filters

Modern phishing techniques have moved far beyond the misspelled fake login page. Today's attackers use adversary-in-the-middle proxies, MFA fatigue, browser-in-the-browser popups, OAuth consent phishing, quishing and ClickFix to defeat the very controls that once stopped them. This guide explains how each technique works - conceptually, for defenders - and how to build resilience.

9 min readRead article

Next step

Ready to measure your phishing and training program?

Book a demo and see how PhishGun can support your simulation and training program, reporting needs, and compliance evidence.

Request AccessEmail info@phishgun.com