An email arrives from your CFO's address quoting a real email thread you exchanged last month, but with a different IBAN. The sender domain is one character off. What is the first thing you should do?

Call your CFO on a number you already have, or walk to their desk. Always verify out-of-band on a channel you already trust. Replying to the email keeps you in the attacker's channel. Forwarding it widens exposure. Clicking the IBAN link confirms to the attacker that the lure is being read.

Which of the following is the strongest defence against spear phishing that uses an Evilginx reverse-proxy MFA-bypass kit?

FIDO2 / passkeys. FIDO2 / passkeys are bound to the legitimate origin URL; the reverse-proxy phishing kit cannot relay them because the attacker's domain does not match. SMS and TOTP can be relayed in real time.

What is the most reliable single signal that an email is spear phishing, even when everything else looks correct?

A look-alike sender domain (homoglyph, missing letter, wrong TLD). Sender domain manipulation is required for the spoof to work and is the single signal an attacker cannot fully eliminate. Urgency, attachments and subject-line keywords are common but not necessary.

Your colleague received a spear-phishing email and clicked a link, entering credentials into a fake login page. What should they do FIRST?

Report the incident to security AND change their password from a known-clean device. Reporting unlocks session-revocation and IR response. Changing the password matters but must happen on a device that is not itself potentially compromised. Never delete the evidence and never wait.

The attacker quoted a real internal email thread. How did they most likely obtain it?

From a prior compromise of a mailbox somewhere in the supply chain or from a leaked credential dataset. Real internal threads are sourced from prior compromises — a supplier mailbox, a leaked Office 365 export, or a credential-stuffing-driven inbox takeover. This is why supply-chain account hygiene matters as much as your own.

Spear Phishing in 2026 — How Targeted Email Attacks Actually Work

The scenario

Marta is the Group Treasurer at a 2,400-person Dutch logistics firm. On a Tuesday morning at 09:12 she receives an email from her CFO's address with the subject "Re: Q2 dividend wire — corrected IBAN". The thread contains the actual exchange she had with the CFO four weeks earlier about the dividend, quoted in full. The new message asks her to redirect the €1.4M payment to a different IBAN because of an alleged audit hold on the old account. The footer carries the CFO's exact signature block, his correct mobile number, and the company VAT ID. Marta has corresponded with this exact thread before. She clicks Reply — and then notices the sender domain is loglstics.nl, not logistics.nl. One missing 'i'. Nine minutes later her phone rings; the caller ID shows the CFO; the voice sounds like the CFO. Marta hangs up, opens a new email to the CFO's verified address, and asks him directly. He has not sent anything. The attack was halted; nothing was lost. Most organisations are not this lucky.

How the attack works

Spear phishing is a four-stage operation. Stage one is reconnaissance: the attacker scrapes LinkedIn, company press releases, public filings, and previously breached datasets to map the target's reporting line, recent projects, and language patterns. Open-source-intelligence tools (Maltego, theHarvester, public Hunter.io data) automate the first 80% of this in hours. Stage two is infrastructure setup. The attacker registers a look-alike domain — typically a homoglyph (rn vs m), a TLD swap (.co vs .com), or a missing letter — and seeds it with valid TLS, valid SPF/DKIM/DMARC, and a warmed-up sending reputation via low-volume legitimate-looking emails for two-to-six weeks. Stage three is the lure. The attacker writes a message that names a real internal project, references a recent calendar event scraped from a leaked Office 365 mailbox, or quotes a real email thread obtained from a prior compromise. This is what separates spear phishing from bulk phishing: the lure passes the 'is this real?' test because most of it is real. Stage four is action and laundering. The target wires money, shares credentials, or clicks a link that drops a credential-harvesting kit (often Evilginx for MFA-bypassing reverse proxy). The funds move through a chain of mule accounts within 30 minutes. MITRE ATT&CK techniques: T1566.001 (Spearphishing Attachment), T1566.002 (Spearphishing Link), T1585.002 (Establish Accounts: Email), and T1656 (Impersonation).

What to watch for

Sender domain looks correct at a glance but contains a homoglyph, missing letter, or wrong TLD — always inspect the full address, not the display name
Reply-To address differs from the From address, or routes to a free webmail domain
A previous email thread quoted in full, but the new message changes a key detail like an IBAN, contract number, or delivery address
Pressure for unusual urgency — 'before close of business', 'while you have the auditor on the line', 'CFO needs this before his flight'
Out-of-band confirmation channel suggested by the attacker (call this new mobile number) instead of the target's known channel
Request to bypass a normal control — 'skip the approval workflow this once', 'just send it from your personal account'
Voice or video follow-up that matches the email exactly — deepfake voice and live-rendered video are now routine in 2026
Email arrives outside the sender's normal working hours or with stylistic shifts (different greeting, different sign-off)

What to do

Verify out-of-band before acting on any sensitive requestCall the requester on a number you already have, or walk to their desk. Never call a number provided inside the suspicious message.
Forward the message — with full headers — to your security or IT teamIf your mail client supports 'Report Phishing', use it. Otherwise forward as attachment so the headers survive.
Do not delete the original message yetYour security team needs it for response. Move it to a 'Quarantine' folder you control.
Inspect the sender domain character-by-characterCompare against a known-good email from the same person in your archive.
If you clicked a link, report it immediatelySpeed matters. A credential-harvesting kit can be drained and turned into account takeover within minutes.
If you acted on the request, escalate to security AND finance before anything elseWire fraud can sometimes be recalled if the receiving bank is notified within hours.
Warn peers in the same workflow without forwarding the lureSend a separate message describing the attack pattern — never forward the original email outside of security.

Defenses to deploy

Technical controls

DMARC enforcement (p=reject) on all outbound sending domains, plus a routine review of DMARC aggregate reports for spoofing attempts against your domain
Inbound DKIM/SPF/DMARC validation with quarantine routing for failed authentication, not just soft-pass
Anti-impersonation rules on the mail gateway flagging look-alike domains, display-name mismatches, and external-sender warnings on internal-looking emails
Conditional Access policies in Microsoft 365 / Google Workspace requiring MFA + compliant device for any session originating from new geos
FIDO2 / passkey rollout for high-value roles (finance, executives, IT admins) — phishing-resistant MFA defeats Evilginx-class reverse proxies
Email-banner injection for first-time-correspondent or external-domain senders, especially when display names match internal staff

Policy controls

Mandatory two-person rule and out-of-band verification for any payment-instruction change above a defined threshold — written into finance policy, not training
Explicit 'we never ask you to bypass workflow' message from leadership, repeated quarterly
Reporting flow that takes less than 10 seconds (one button) and protects reporters from any blame for false positives
Quarterly review of which staff have rights to initiate wire transfers — minimise the attack surface to people who actually need it

Training cadence

Awareness modules are necessary but insufficient on their own. Pair this module with a quarterly simulated spear-phishing campaign that targets the actual risk groups (finance, executives, IT admins) with realistic pretexts — not the generic templates default platforms ship with. Reporting rate matters more than click rate as a metric.

Quick check

Five questions. Answers and rationale appear after submission.

Q1.
An email arrives from your CFO's address quoting a real email thread you exchanged last month, but with a different IBAN. The sender domain is one character off. What is the first thing you should do?
Q2.
Which of the following is the strongest defence against spear phishing that uses an Evilginx reverse-proxy MFA-bypass kit?
Q3.
What is the most reliable single signal that an email is spear phishing, even when everything else looks correct?
Q4.
Your colleague received a spear-phishing email and clicked a link, entering credentials into a fake login page. What should they do FIRST?
Q5.
The attacker quoted a real internal email thread. How did they most likely obtain it?

Sources & further reading

NCSC-NL — Phishing: hoe herken je het en wat doe je eraan[primary]
NIST SP 800-63B — Authenticator considerations including phishing resistance[primary]
MITRE ATT&CK — T1566 Phishing[primary]
ENISA — Threat Landscape report (annual)[primary]
Krebs on Security — Evilginx-as-a-Service phishing kits[secondary]
Microsoft Digital Defense Report — annual breakdown of identity attacks[secondary]