Spear Phishing & Advanced Scenarios
Spear Phishing & Advanced Scenarios
Overview
Generic phishing simulations work well for baseline testing, but as users become more aware, you need more sophisticated scenarios. This guide covers advanced simulation approaches in PhishGrid.
What is spear phishing?
Unlike generic mass phishing, spear phishing targets specific individuals or groups with personalised content tailored to their role or context. It is far more effective and harder to detect — and closer to what real attackers use against mature organisations.
Advanced scenario types
Executive impersonation (CEO fraud / BEC)
An email appearing to come from "the CEO" or a senior leader requesting urgent action — a wire transfer, gift card purchase, or confidential document.
Target: Finance, executive assistants, HR Approach: Internal-looking email, urgent tone, spoofed executive name
IT impersonation
"Your password expires today" or "You have a new voicemail" from "IT Support". High click rates, especially for non-technical users.
Target: All staff
Credential harvesting
A realistic login page (Microsoft 365, Google Workspace, internal portal) that captures what users type. Demonstrates how convincing fake login pages can look.
Target: All staff Content type: Landing page with data capture
Multistage attack
Chains multiple pages: fake login → fake verification code → awareness content. Tests whether users proceed through multiple steps of a scam.
Target: Experienced users who have passed basic tests
Vishing (voice phishing)
Automated call simulating IT help desk, bank, or HR asking for sensitive information.
Target: Any group — particularly effective for staff unlikely to click an email
SMS / smishing
Fake text message with a malicious link or callback number.
Target: All staff — users apply less scrutiny to SMS than email
Escalation path for a maturing programme
| Stage | Campaign type | Expected phish rate |
|---|---|---|
| 1 — Baseline | Generic phishing, easy templates | 20–40% |
| 2 — Awareness building | Generic + training | 10–20% |
| 3 — Targeted | Department-specific templates | 8–15% |
| 4 — Advanced | Spear phishing, credential harvest | 5–12% |
| 5 — Mature | BEC, multistage, vishing | 3–8% |
Tips
- Brief leadership first. Executive impersonation campaigns can cause alarm — ensure senior leaders know before launch.
- Have training ready. Advanced simulations trigger stronger reactions — use that moment for impactful training.
- Build up gradually. Very hard campaigns too early demoralise users. Escalate difficulty progressively.
- Personalise ethically. Use role and department context — not personal information from outside the organisation.