Spear phishing is a targeted social engineering attack where an adversary sends a personalized, customized message (usually email) to a specific person to trick them into revealing sensitive info, clicking a malicious link, or downloading malware.
Spear phishing is phishing with a sniper scope instead of a shotgun. Regular phishing blasts the same generic message to thousands of people hoping someone bites. Spear phishing zeroes in on one specific target and crafts a message just for them, often using real details like your name, job title, boss's name, or a recent project to make it look legit.
Under the CED, this falls squarely under social engineering (EK 1.1.A.1): the attacker uses psychological tactics to manipulate you into revealing sensitive information (called elicitation), downloading a malicious file, or clicking a malicious link. Because the message feels personal and believable, you let your guard down. Adversaries usually layer in urgency or intimidation (EK 1.1.A.2) so you act fast instead of stopping to check whether the request is reasonable.
Spear phishing lives in Unit 1: Introduction to Security, specifically Topic 1.1 Understanding Social Engineering. It directly supports learning objective AP Cybersecurity 1.1.A (identify common indicators of social engineering tactics), 1.1.B (explain how those tactics influence victims), and 1.1.C (describe the impacts on victims). On the exam, you need to recognize spear phishing as a type of social engineering, spot the psychological levers it pulls, and explain why a targeted, personalized message is more dangerous than a generic one.
Keep studying AP Cybersecurity Unit 1
Visual cheatsheet
view galleryPhishing (Unit 1)
Phishing is the wide net; spear phishing is the harpoon. Both use deceptive messages to steal info, but spear phishing targets one specific person with customized details, which makes it far more convincing than mass-mailed phishing.
Elicitation (Unit 1)
Spear phishing is one delivery method for elicitation, the act of getting a victim to reveal sensitive information. The personalized message is the bait that pulls the secret out of you.
Urgency and Intimidation (Unit 1)
These are the psychological triggers spear phishing usually rides on (EK 1.1.A.2, 1.1.B.2, 1.1.B.3). A fake 'your account will be locked in 1 hour' message uses urgency so you click before you think.
Smishing (Unit 1)
Smishing is phishing over text message, and spear phishing can happen over SMS too. They overlap because EK 1.1.A.1 notes social engineering happens by email, text, or social media, not just one channel.
Expect spear phishing to show up in multiple-choice questions that describe a scenario and ask you to name the tactic or pick the social engineering indicator. A classic stem gives you an email that mentions a victim's real boss or project and asks what kind of attack it is, with the trick being to distinguish it from plain phishing. You may also be asked to explain why it works, which means naming the psychological principle (urgency, intimidation) and tying it to the desired action: revealing info, clicking a link, or downloading malware. No released FRQ has used the term verbatim, but it's exactly the kind of social engineering scenario Unit 1 free-response prompts build on, so be ready to identify the tactic and describe the impact on the victim.
Phishing is generic and sent to many people at once; spear phishing is personalized and aimed at one specific target. The key difference is targeting and customization. If the message uses your actual name, role, or company details to seem credible, it's spear phishing.
Spear phishing is a targeted social engineering attack that customizes a message for one specific victim, unlike broad phishing.
It relies on elicitation, getting you to reveal sensitive information, click a malicious link, or download malware (EK 1.1.A.1).
The personalization makes it more convincing, which is exactly why it's more dangerous than generic phishing.
Attackers pair spear phishing with urgency or intimidation to make you act before you think (EK 1.1.A.2).
Possible impacts include handing over personal info for impersonation, leaking a one-time password, or installing malware (EK 1.1.C).
Spear phishing is a social engineering attack that sends a personalized, targeted message to a specific person to trick them into revealing sensitive info, clicking a malicious link, or downloading malware. It falls under Topic 1.1 and learning objective AP Cybersecurity 1.1.A.
No. Phishing is a generic message blasted to many people, while spear phishing is customized and aimed at one specific target using real details about them. Spear phishing is more convincing precisely because it's personalized.
Smishing is defined by the channel (it's phishing over SMS text), while spear phishing is defined by targeting (a personalized message aimed at one victim). A spear phishing attack can actually be delivered over text, so the two can overlap.
It exploits psychological principles from EK 1.1.B. The personalized details lower your suspicion, and added urgency or intimidation pressure you to act quickly without checking whether the request is safe.
Per EK 1.1.C, you might hand over personal info used for impersonation, leak a one-time password that lets the attacker log in as you, or download malware that infects your device.
Connect this key term to the AP exam workflow: review the course, practice questions, and check related study tools.