Why Spearphishing Attacks Work

Spearphishing is a targeted email scam that tricks someone inside your business into doing something they shouldn’t — clicking a link, sharing login details, or sending money. The attacker usually poses as someone familiar. They write the message to sound right for the situation. If you’re busy, if the message looks plausible, and if it comes at the right moment, you or your staff might act before checking. That’s exactly what the attacker hopes for.

These emails don’t rely on hacking software. They rely on your daily habits — reading emails fast, responding to your team, trusting the names in your inbox. Because these scams are written for one person at a time, they don’t always get caught by filters. If they’re convincing enough, no antivirus tool will help. Most damage happens not through broken software, but through people doing what they thought was the right thing.

What Makes a Spearphishing Email Different?

The attacker does their research. They’re not guessing. They’ve checked your website, LinkedIn, Companies House, maybe old data leaks. They know who works where, which email format your business uses, and what your teams are responsible for. They pick someone with access — maybe someone who can make payments or approve invoices. Then they write a message that looks like it comes from your manager, a supplier, or another trusted contact. It might reference a project or name that makes it feel legitimate.

Instead of blasting this message to hundreds of people, they send it to one person — the one they think will act on it. The tone is familiar. The instructions are clear. The timing makes sense. The only thing missing is a real reason. But that’s hard to spot when the rest of the message looks normal.

A Typical Spearphishing Attack Step-by-Step

First, the attacker selects a business and identifies a target. They might choose someone in accounts or operations — someone who can move money or access systems. They build a profile using freely available data, including anything shared online by the business itself. Next, they register a lookalike domain or use a fake email address that’s almost identical to a real one. They write an email that mimics tone, layout, and timing. Often it asks the recipient to make a quick payment, check a file, or update login details. It will usually include a link or an attachment. Because the email seems familiar, the person receiving it doesn’t always question it.

If the target clicks, the attacker either gets direct access (through a login page, remote software, or malware) or a payment goes out under false pretences. The damage may not be noticed straight away. By the time it is, the funds or data are gone.

Why These Attacks Still Work

The main reason these scams succeed is that they don’t look like scams. They don’t follow obvious patterns. They don’t come with poor spelling, strange formatting, or broken English. They copy what your business already expects to see. The attacker knows what works: urgency, familiarity, and the pressure to act quickly. Most staff don’t fall for technical traps — they fall for realistic requests that catch them at the wrong moment. Even when businesses use Microsoft 365, which includes filtering and detection tools, these emails can still land. That’s because the email doesn’t always include a dangerous link or file. The danger comes from what your staff do in response.

Studies from IEEE Xplore, Trellix, and Anubis Networks all confirm this: urgency and authority override our usual caution. When someone thinks they’re dealing with their boss or a high-stakes task, they often act without thinking. This isn’t about intelligence — it’s about timing, pressure, and trust. And it happens fast.

Examples from the Last Decade

Crelan Bank in Belgium lost €70 million after a finance director was tricked into wiring money following what looked like an internal email. Ubiquiti Networks in the US lost $46.7 million in a similar incident. Google and Facebook paid fake invoices totalling more than $100 million over several years to a scammer posing as a supplier. These weren’t small firms. They had internal checks and technical support teams. They still got caught.

There’s no perfect system, but you can reduce the risk quickly with a few basic steps. Train your team to pause when things feel off. Run short roleplay sessions with real examples. Set clear rules for payment approvals. Add multi-factor authentication (MFA) to your email accounts. If you use Microsoft 365, activate Safe Links and Safe Attachments, and set up a “report phishing” button in Outlook. These tools are built in, but only help if people use them. It’s not about buying more software — it’s about how your team handles email. The stronger your habits, the harder it is for these scams to work.

Spot a Spearphish Attack Checklist

Print this out, post it in your shared workspace, or send it to your team as an internal email.

✅ Do I recognise the sender’s name and email address — exactly?
✅ Was I expecting this file, link, or message?
✅ Is the email asking me to act quickly or handle something sensitive?
✅ Are there unusual payment instructions or bank details?
✅ Is the tone slightly wrong — too short, too formal, or too casual?
✅ Has the sender broken normal process (e.g. asking for direct payment instead of using the system)?
✅ Do I feel even slightly unsure?

If you’ve answered yes to any of these, pause. Pick up the phone. Speak to the person directly using a number you know. Do not reply to the email or click anything until you’ve confirmed it’s real.

Spearphishing works because it looks like normal business. It doesn’t shout. It fits into your routine. That’s why good habits beat good software. Train your team. Slow things down. Build in checks. You don’t need to overhaul everything — just fix the places where people might act too quickly.

If you’d like a copy of the checklist as a poster or want help setting up simple protections like MFA and email reporting tools, get in touch. We support SMEs across Kent and nearby areas, and we work in plain language.