← All articles

Spear phishing vs mass phishing: what’s the difference?

GottaPhish Team · June 11, 2026

Not all phishing is the same. Some attacks are scattered widely in the hope of catching anyone, while others are carefully aimed at one specific person. Understanding the difference helps you recognise both — and know when to be extra careful.

Mass phishing: the wide net

Mass phishing is the "spray and pray" approach. Attackers send the same message to thousands, or even millions, of people at once. They don't know who you are; they're simply hoping that a small percentage of recipients will take the bait.

Because these messages are generic, they tend to share common traits:

Mass phishing succeeds through sheer volume. Even if only one person in a thousand responds, that's still a worthwhile catch for the attacker.

Spear phishing: the targeted strike

Spear phishing is the opposite. Instead of casting a wide net, the attacker aims at one particular person or a small group — and does their homework first.

Before sending anything, they gather details about you: your name, your job title, who you report to, projects you're working on, even your recent social media posts. They use this information to craft a message that feels personal and believable.

A spear-phishing email might mention your manager by name, reference a real project, and arrive at a moment when you're expecting exactly that kind of request.

Because it's tailored, spear phishing is far more convincing — and far more dangerous. The tell-tale signs of mass phishing (generic greetings, obvious errors) are often absent.

A quick comparison

Mass phishingSpear phishing
TargetAnyone and everyoneOne specific person or team
EffortLow, sent in bulkHigh, researched and tailored
Personal detailGenericUses your real name, role, context
Ease of spottingOften easierDeliberately hard

Where "whaling" and CEO fraud fit in

You may also hear the terms whaling and CEO fraud. These are forms of spear phishing aimed at high-value targets — senior executives, or the people who can authorise payments. A common example is an email that appears to come from your CEO, urgently asking you to transfer money or buy gift cards. It's tailored, it uses authority, and it relies on you not wanting to question the boss.

How to protect yourself against both

The good habits are the same, whether the attack is broad or targeted:

The key insight is this: a message being personal and specific does not make it safe. In fact, with spear phishing, that personal touch is exactly the trap. When a request feels important and time-sensitive, that's the moment to verify — not to rush.

How GottaPhish helps

Spear phishing is dangerous precisely because it's personal and specific, slipping past generic filters and instincts alike — and GottaPhish, together with our expert support team, helps you address exactly that. Our simulations range from broad phishing campaigns to realistic spear-phishing scenarios tailored to roles like finance or leadership, backed by practical awareness training and clear dashboards showing which teams face the most risk. Our support and experts team works hands-on with you to design these targeted scenarios, set up campaigns, and interpret the results, so your people experience these threats safely before they meet the real thing.