Email Attacks Explained: Phishing, Spear Phishing, and BEC

Published Read6 min read

The accounting manager gets an email from the CEO on a Friday afternoon. The tone is right, the signature is right, the request is urgent but plausible: a vendor needs to be paid today to close a deal, here are the wire details, keep it quiet until it’s announced. Everything about it feels normal except one thing the manager has no easy way to check in the moment, whether the CEO actually sent it. This is what a modern email attack looks like. It is not a misspelled message from a foreign prince; it is a message engineered to look exactly like one a business receives every day, which is precisely why email remains the most common way attacks begin.

Email attacks work because they target the person, not the technology. No firewall stops an employee from voluntarily doing what a convincing message asks. Understanding the main forms these attacks take, how they manipulate, and how to recognize them is the most practical security knowledge a business can give its people, because the employee reading the email is the actual line of defense.

The Main Types, From Broad to Targeted #

Email attacks fall along a spectrum defined by how targeted they are. Knowing where an attack sits on that spectrum explains how convincing it is likely to be.

  • Phishing is the wide net. Attackers send the same deceptive message to thousands of people at once, impersonating a familiar brand, a bank, a delivery service, a software provider, and hoping a fraction click a link or enter their credentials on a fake page. Any individual message is generic, which is also what often makes it easier to spot.
  • Spear phishing is the aimed spear. Instead of mass mail, the attacker researches a specific person and crafts a message tailored to them, referencing real colleagues, real projects, real vendors. Because it is personalized and plausible, it is far harder to recognize and far more dangerous than generic phishing.
  • Business email compromise (BEC) is spear phishing pointed at a business’s money or data, usually by impersonating someone trusted: an executive, a vendor, a partner. The Friday-afternoon wire request is the classic example. BEC often carries no link or malware at all, relying purely on social engineering, which is exactly why technical filters frequently miss it.

The pattern is that as an attack gets more targeted, it gets more convincing and harder to catch, while broad phishing is more common but cruder. A business faces all three, and the targeted kinds are the ones that do the most damage.

How They Manipulate #

Underneath the types, the same psychological levers do the work. Attackers manufacture urgency, a deadline, a closing window, a threatened account, so the target acts before thinking. They borrow authority by impersonating a boss or a known institution, because people are reluctant to question a superior or a familiar brand. They lean on routine, framing the request as something ordinary, a normal invoice, a normal password reset, so nothing feels alarming.

The goal of all this manipulation is usually one of two things: to get the target to hand over credentials by entering them on a convincing fake page, or to get them to take an action directly, wiring money, changing payment details, opening an attachment. The stolen credentials are valuable precisely because they become a key for what comes next, often surfacing for sale in the same underground markets where breached data circulates. What an attacker does with that access is a separate stage; the email is simply how the door gets opened.

How to Recognize an Attack #

Most email attacks share recognizable warning signs, and training people to pause on them is more effective than any single tool. A handful come up again and again:

  • Unexpected urgency, especially a message pressing for money, credentials, or a fast decision, deserves suspicion by default; urgency is the attacker’s main lever.
  • A sender address that is subtly wrong, a domain with one letter changed, or a familiar name attached to an unfamiliar address.
  • A login link inside the email itself, steering toward a page reached through the message rather than one the person navigates to independently.
  • A request that breaks normal process, a wire to a new account, a change to payment details, a demand for secrecy, even when the tone sounds routine.

The single most reliable defense against the targeted attacks is verification through a different channel. If an email asks for a wire transfer or a change to payment details, confirming by phone or in person, using a known number rather than one in the email, defeats nearly every BEC attempt. The attack depends on the target acting inside the email’s framing; stepping outside it breaks the illusion.

What a Business Can Do #

No single measure stops email attacks, but a few layers together make a business a much harder target. Multi-factor authentication is foundational, because it means a phished password alone does not grant access, an attacker who steals credentials still cannot log in without the second factor. Verification procedures for any financial request, requiring a second channel and ideally a second person for transfers, directly counter BEC. And because these attacks target people, regular awareness training is not a formality but the core defense, since an employee who recognizes the pattern is the one protection that works before any damage is done.

Email is the front door of most attacks, but it is a door people can be taught to guard. The technology helps, filters catch a great deal of the crude, high-volume phishing, but the targeted attacks that slip through are stopped by a person who knows to pause, distrust urgency, and verify. How an attacker turns a single opened door into a wider compromise is the next part of the story, and it is the reason guarding the door matters so much.

Frequently Asked Questions #

What’s the difference between phishing and spear phishing?
Phishing is generic and sent in bulk to many people at once, impersonating common brands and hoping a fraction take the bait. Spear phishing is personalized, aimed at a specific person using researched details like real names, projects, and relationships, which makes it far more convincing and harder to spot. The bulk version is more common; the targeted version is more dangerous.

Why do email attacks get past spam filters?
The most damaging ones, particularly business email compromise, often contain no malicious link or attachment for a filter to catch, just plain text making a plausible request. Because they rely on social engineering rather than technical payloads, they can look like ordinary business correspondence. This is why the human ability to recognize a suspicious request matters even when good filtering is in place.

How can I tell if a wire transfer request is legitimate?
Verify it through a separate channel before acting. If an email asks you to send money or change payment details, confirm directly with the supposed sender by phone or in person, using a contact number you already have rather than one provided in the email. This single habit defeats most business email compromise attempts, because the scam depends entirely on you staying within the email’s framing.

Is multi-factor authentication enough to stop phishing?
It is essential but not sufficient on its own. Multi-factor authentication means a stolen password cannot be used by itself, which blocks a large share of credential-based attacks. But it does not stop an attacker from tricking someone into a wire transfer, and determined attackers have ways to target some forms of it, so it works best combined with verification procedures and awareness training rather than as a single solution.

What should someone do right after clicking a suspicious link or entering credentials on a fake page?
The first priority is changing the password for any account whose credentials may have been entered, and doing it from a different device if the original might be compromised. Enabling multi-factor authentication on that account, if it is not already on, blunts the value of what was stolen. Reporting it to whoever handles the business’s IT or security matters, because the same message was likely sent to others, and watching the affected accounts for unusual activity rounds out the immediate response. Acting quickly is what limits the damage, since the window between a credential being stolen and being used is where the harm happens.

Leave a Reply