Spearphishing is a targeted scam. You get an email that looks like it’s from someone you know—a manager, a supplier, a client. It asks you to do something simple: click a link, approve a payment, download a file. But the message is fake. And one click can cause real damage.
This kind of attack doesn’t depend on software flaws. It depends on people. That’s why it works so often.
What Happens in a Spearphishing Attack
Attackers start with research. They look up your business online, scan your company’s website, check social media, and collect names and roles. They copy email signatures. They look for patterns in how and when invoices are sent.
Then they write the message. It might be short and sharp: “Can you send payment today?” or “Here’s the updated supplier form.” It might use your boss’s name. It might reference a real supplier.
Timing matters. Most are sent at the end of the day, before a weekend, or during busy periods—when mistakes are more likely. They often include pressure or a sense of urgency.
When someone replies, clicks, or pays, it’s too late. The damage is done.
Why Smart People Fall for It
These emails don’t feel like scams. They feel like part of a normal day. That’s what makes them dangerous.
They use trust—like a manager’s name or a known supplier’s style. They rely on habit—you see an invoice, you pay it. They add pressure—there’s a deadline, someone’s waiting, you’re the blocker.
It’s not about being gullible. It’s about being busy.
Most businesses rely on Microsoft Outlook, but spearphishing affects every platform. Gmail, Yahoo, and other inboxes are just as likely to be hit. Microsoft’s own data shows email-based identity threats are constant, and growing.
These emails often bypass filters. They don’t include viruses or obvious spam. They look real. That’s why human habits are the first line of defence.
In Belgium, Crelan Bank lost €70 million after staff believed fake emails from senior leadership. In Japan, Toyota Boshoku transferred $37 million to criminals pretending to be a trusted business partner.
These weren’t technical failures. They were people trying to do their jobs quickly.
This isn’t about installing new tools. The basics make a big difference.
Talk to your team. Show them how real these messages look. Add a second check for payments—like calling the person who requested it. Use multi-factor login where you can. And ask staff to report anything suspicious, even if it seems small.
Spearphishing Spotter: Team Checklist
Print this. Share it. Keep it visible.
Spearphishing Red Flags
The message is urgent—approve, transfer, or reply fast
The sender looks familiar, but something’s slightly off
The tone or wording doesn’t sound right
There’s a link or attachment you didn’t expect
The email address doesn’t match the usual one
If you’re unsure, stop. Don’t click. Don’t reply. Report it.
Spearphishing is designed to fool people who are trying to work quickly and helpfully. You don’t need better tech to deal with it. You need a team that knows what to look for—and knows when to pause.
We help small businesses in Wiltshire make sense of this stuff without jargon. If you want a second opinion on how your emails are protected, we’ll talk you through it, no strings.
Further reading: Multifactor authentication
