Spear phishing vs mass phishing: what’s the difference?
Not all phishing is the same. Some attacks are scattered widely in the hope of catching anyone, while others are carefully aimed at one specific person. Understanding the difference helps you recognise both — and know when to be extra careful.
Mass phishing: the wide net
Mass phishing is the "spray and pray" approach. Attackers send the same message to thousands, or even millions, of people at once. They don't know who you are; they're simply hoping that a small percentage of recipients will take the bait.
Because these messages are generic, they tend to share common traits:
- Impersonal greetings like "Dear Customer" or "Dear Account Holder."
- Well-known brands — banks, delivery firms, streaming services — chosen because lots of people use them.
- Broad hooks — a parcel you're supposedly waiting for, an account that needs "verifying," or an invoice you didn't expect.
Mass phishing succeeds through sheer volume. Even if only one person in a thousand responds, that's still a worthwhile catch for the attacker.
Spear phishing: the targeted strike
Spear phishing is the opposite. Instead of casting a wide net, the attacker aims at one particular person or a small group — and does their homework first.
Before sending anything, they gather details about you: your name, your job title, who you report to, projects you're working on, even your recent social media posts. They use this information to craft a message that feels personal and believable.
A spear-phishing email might mention your manager by name, reference a real project, and arrive at a moment when you're expecting exactly that kind of request.
Because it's tailored, spear phishing is far more convincing — and far more dangerous. The tell-tale signs of mass phishing (generic greetings, obvious errors) are often absent.
A quick comparison
| Mass phishing | Spear phishing | |
|---|---|---|
| Target | Anyone and everyone | One specific person or team |
| Effort | Low, sent in bulk | High, researched and tailored |
| Personal detail | Generic | Uses your real name, role, context |
| Ease of spotting | Often easier | Deliberately hard |
Where "whaling" and CEO fraud fit in
You may also hear the terms whaling and CEO fraud. These are forms of spear phishing aimed at high-value targets — senior executives, or the people who can authorise payments. A common example is an email that appears to come from your CEO, urgently asking you to transfer money or buy gift cards. It's tailored, it uses authority, and it relies on you not wanting to question the boss.
How to protect yourself against both
The good habits are the same, whether the attack is broad or targeted:
- Slow down when there's pressure. Urgency plus a request for money or information is the biggest warning sign of all.
- Verify unusual requests independently. If your manager or a supplier asks for something out of the ordinary, confirm it by phone or in person — using contact details you already trust.
- Be mindful of what you share publicly. The less personal detail attackers can find online, the harder it is to target you convincingly.
- Treat "the boss asked" with healthy caution. A genuine leader would rather you double-check than fall for a scam in their name.
The key insight is this: a message being personal and specific does not make it safe. In fact, with spear phishing, that personal touch is exactly the trap. When a request feels important and time-sensitive, that's the moment to verify — not to rush.
How GottaPhish helps
Spear phishing is dangerous precisely because it's personal and specific, slipping past generic filters and instincts alike — and GottaPhish, together with our expert support team, helps you address exactly that. Our simulations range from broad phishing campaigns to realistic spear-phishing scenarios tailored to roles like finance or leadership, backed by practical awareness training and clear dashboards showing which teams face the most risk. Our support and experts team works hands-on with you to design these targeted scenarios, set up campaigns, and interpret the results, so your people experience these threats safely before they meet the real thing.
