Spear Phishing vs Mass Phishing: Why Targeted Attacks Need Different Training

June 23, 2026

Most security awareness training teaches people to spot the obvious signs of a phishing email: generic greetings, unusual sender addresses, urgent language, suspicious links. These signals are reliable indicators of mass phishing campaigns, where attackers send the same or similar email to hundreds of thousands of people and rely on a small percentage clicking. That training has value. But it prepares people for a specific type of attack, and organisations that assume it covers spear phishing are leaving a significant gap.

Spear phishing is a different thing. The attacker has researched the target. They know the person's name, role, manager, current projects, the systems they use, and sometimes details about their personal life sourced from social media. The email is personalised, contextually plausible, and crafted to avoid the signals that mass phishing training teaches people to look for. The recognition skills needed to identify it are different, and the training to develop those skills needs to reflect that difference.

How Attackers Build a Spear Phishing Email

Open-source intelligence gathering is the first step in any spear phishing campaign. A LinkedIn profile tells an attacker your job title, your organisation, your manager's name, your colleagues, the software tools you reference in posts, and sometimes your personal interests and activities. A company website adds client names, project names, office locations, and key contacts. Public social media adds context about personal relationships, travel, and life events. An attacker who spends thirty minutes on this research can write an email that is far more convincing than anything generated in a mass campaign.

The resulting email might reference a specific project by name, appear to come from someone in the person's actual reporting line, use the correct internal terminology for a process, and include a request that is plausible given the recipient's role. The technical indicators that mass phishing training targets (generic greetings, obvious spoofed addresses) may not be present. The sender address might be a convincing lookalike domain. The request might come through a channel the target uses regularly. Staff trained only to spot generic phishing signals will not have the pattern recognition to catch this.

What Spear Phishing Recognition Training Looks Like

Training for spear phishing recognition needs to teach a different set of habits. Instead of scanning for obvious red flags, it teaches people to verify unexpected requests through a second channel, regardless of how convincing the original request looks. Someone asks you to approve a payment via email. The correct habit is to call the requester on a known number, not to rely solely on the email content. That verification habit is the primary defence against spear phishing because it does not depend on the target spotting the attack. It interrupts the attack even when the email is convincing.

Training also needs to cover what information staff are inadvertently sharing publicly. A significant part of spear phishing defence is reducing the attack surface that attackers can research. Staff who understand that their LinkedIn profile is visible to attackers and that posts about internal projects or systems provide useful intelligence to them are more likely to make thoughtful decisions about what they share. This is not about paranoia. It is about understanding that the research phase of a spear phishing attack is largely conducted on publicly available information.

High-Risk Roles for Spear Phishing

Not all staff face the same spear phishing exposure. People with prominent LinkedIn profiles and public-facing roles are higher-value research targets. Finance staff who handle payments are higher-value attack targets because the endgame of most spear phishing campaigns is financial fraud. Executives are targeted because their authority can be exploited or impersonated. IT staff are targeted because their access credentials provide high-value entry points. Training needs to be allocated according to actual risk exposure, not distributed uniformly.

We see this pattern consistently across our clients, including several NSW councils where finance and executive staff face clearly elevated targeting compared to general staff. A programme that treats everyone identically misallocates training resources. Higher-risk roles need more frequent, more sophisticated simulation scenarios and more in-depth training on the specific tactics likely to be used against them. That differentiation is what role-based training is designed to deliver.

Response Habits Are More Reliable Than Detection

Detection-based training assumes the target will identify the attack. Response-based training assumes the attack may look convincing and builds habits that interrupt it anyway. For spear phishing, response-based training is significantly more reliable. The habit of verifying unexpected financial requests through a second channel, the habit of confirming sensitive information requests before acting on them, and the habit of pausing on any request that creates urgency or bypasses normal process: these habits work whether or not the person spots the attack.

  • Spear phishing uses research and personalisation to bypass generic awareness training.
  • Recognition training for spear phishing focuses on verification habits, not just signal detection.
  • Staff should understand that their public profiles are available to attackers as research material.
  • Higher-risk roles (finance, executives, IT) need more intensive targeted training.
  • Response habits (verify through a second channel) are more reliable than detection when the attack is sophisticated.

If you want to understand your organisation's spear phishing exposure and design training that addresses it specifically, contact Cyberlinx at info@cyberlinx.com.au.

Table of Contents
Resource Type
Blogs
Category
Cyber Awareness Training
Written by
Saaim Khan
Chief Innovation Officer
Free Risk Assessment
Cyberlinx brand name with linked chain links icon above it in white on a black background.

Ready to secure your
business?