Phishing has been a mainstay of cybercrime for decades – and for good reason. Threat actors continually evolve their phishing tactics, techniques, and procedures (TTPs), adapting the method with new tools and technologies to ensure it remains highly effective. IT leaders have become especially attractive targets: their privileged access amplifies the impact of a successful compromise. Today, IT leaders are in the crosshairs of sophisticated, AI-assisted spear phishing campaigns that exploit both human trust and digital access, making them some of the most lucrative attacks in the cyber landscape.
How Spear Phishing Has Evolved
Most IT leaders say they’re confident they could spot a phishing email. Recent Arctic Wolf research found that 76% of IT leaders expressed confidence in their ability to spot a phishing email – a sentiment that’s understandable, but increasingly at odds with today’s threat reality. Today’s spear-phishing campaigns use automation, AI-driven data gathering, and behavioural analytics to create highly convincing, context-aware messages at a pace that manual operations could never match.
Rather than sending broad, easily spotted lures, modern attackers mirror legitimate workflows, reference active initiatives, and emulate trusted senders from within collaboration tools and business systems. This evolution blurs the line between a suspicious email and a credible message.
This growing sophistication explains why even seasoned IT professionals remain vulnerable. The mechanics of spear phishing haven’t changed, but its precision, speed, and contextual awareness have made it far more difficult to detect and defend against.
As these campaigns become more advanced, attackers are also becoming more selective. Increasingly, their attention is turning toward individuals whose access and influence can deliver the greatest payoff, which helps explain why IT leaders have emerged as some of the most frequent and valuable targets.
Why Spear Phishing Works
The data about spear phishing and IT leaders speaks volumes. According to the Arctic Wolf Human Risk Behaviour Snapshot: 2nd Edition, 39% of IT leaders worldwide have been targeted by a phishing attack in the last 12 months, 35% by a malware download, and 65% admit to clicking on phishing links during that same period – over one-third of them more than once. These findings show that even the most technically proficient professionals remain susceptible to increasingly personalised and well-timed social-engineering tactics.
Even with strong technical controls, spear phishing remains effective because it focuses on the one variable technology can’t fully defend: human behaviour. These campaigns prey on the same instincts that make people efficient at work: trust, urgency, and familiarity. By exploiting those impulses, attackers can slip past even the strongest defenses.
Confidence compounds the challenge. Many IT leaders assume their expertise makes them less likely to fall victim to social engineering attempts, as stated above, 76% of IT leaders remain confident their organization wouldn’t fall for a social engineering attack, despite the number of overall breaches, and the volume of IT leaders who have clicked on phishing links, remaining steady year-over-year. When compared to end users – IT leaders click on phishing links at a 15% higher rate (50% compared to 65%), highlighting how their overconfidence may be leading to complacency.
Looking at this confidence issue further, Arctic Wolf research showed that IT leaders from large enterprises (between 3,000-4,999 employees), were the most confident in their social engineering spotting skills at 85%. This is in direct conflict with the reality that more employees equals more inboxes for threat actors to target and a larger human attack surface that needs to be secured.
In short, spear phishing works not because IT leaders lack awareness, but because attackers have learned to weaponise trust, context, and timing with near-surgical precision.
That gap between perceived awareness and real-world outcomes highlights how spear phishing now operates as much on human behaviour as on technical opportunity.
Why IT Leaders Are Targets of Spear Phishing
Attackers rarely cast a wide net without purpose. The reason IT leaders are now prime targets for spear phishing often centers on one factor: access to systems, to people, and to information that can unlock the rest of the environment.
From a business perspective, IT leaders:
- Often have high-value access to applications, assets, and the larger network
- Are trusted communicators and more likely to read/respond to an email promptly
- Contain insider knowledge about the target organisation
- May work with third-party users and vendors for access and other tasks
- From a technical perspective, IT leaders:
- Have privileged access to IT and security systems within the organisation
- Often have control over identity and authentication applications or systems (such as Microsoft Active Directory)
- Have privileged permissions within security controls
- Have access to sensitive assets within the organisation
These combined factors not only make IT leaders a reliable target but also a strategic one. Compromising a single, well-positioned identity can deliver far greater impact than breaching dozens of lower-level users, granting attackers deep operational control, elevated access to sensitive systems, and the credibility needed to move freely across the environment.
In recent campaigns, for example, adversaries have spoofed trusted cloud service portals, such as OneDrive, prompting IT leaders to re-authenticate through fake login pages. A single successful attempt can expose sensitive credentials, financial documentation, or technical data, giving threat actors the foothold they need to escalate privileges and entrench themselves within the organisation.
That potential payoff makes spear phishing one of the most efficient, high-reward attack vectors for modern threat actors.
Spear Phishing and AI
Artificial intelligence (AI) is fundamentally reshaping how spear-phishing campaigns are planned and executed. What once required hours of manual research and drafting can now be done in seconds with large language models (LLMs) and automated data collection tools. Threat actors can harvest public and breached information, analyse an organisation’s communication style, and generate tailored outreach that reflects tone, organisational nuance, and timing with alarming precision.
This growing use of AI means IT leaders, and all users alike, can no longer rely on traditional tell-tale signs of phishing emails. Misspellings, awkward phrasing, and other “red flag” indicators have been replaced with grammatically perfect, relevant messages that mirror authentic correspondence. AI models can even mirror an organisation’s internal shorthand and communication norms, making social engineering attempts harder to detect, especially in high-volume inboxes.
A recent empirical study, Evaluating Large Language Models’ Capability to Launch Fully Automated Spear Phishing Campaigns, demonstrated the impact of this transformation: researchers found that AI-generated spear phishing emails achieved a 54% click-through rate, compared to 12% for a control group. The takeaway isn’t just that AI increases efficiency; it significantly boosts effectiveness, scale, and believability.
How IT Leaders Can Protect Themselves from Spear Phishing
Defending against spear phishing, like other forms of social engineering, takes a multi-pronged approach that unites awareness, discipline, and visible leadership. Because IT leaders shape organisational culture and influence technology decisions, the example they set directly affects the organisation’s overall resilience.
The Arctic Wolf Human Risk Behaviour Snapshot: 2nd Edition also reveals that 21% of global IT leaders have clicked on a phishing link at least once without reporting it, and 44% have disabled security measures to complete work more efficiently. These behaviours highlight a critical truth: when leaders bypass security protocols, even with good intentions, they normalise risky shortcuts for everyone else. To strengthen protection at both the individual and organisational level, IT leaders should:
1. Deploy advanced email security solutions. Robust email security that includes behavioural analysis, sender reputation, and real-time link and attachments inspection to identify anomalies and block malicious content before it reaches users.
2. Scrutinise and minimise external exposure. Even routine information like job updates or partnership announcements can help attackers craft realistic phishing content. Limit what’s shared publicly and coordinate with communications teams to ensure sensitive or technical details aren’t disclosed.
3. Install and maintain endpoint security. If a spear phishing attack is initially successful, endpoint security can help stop it from escalating by detecting and blocking fileless malware, ransomware, or post-exploit scripts, monitoring endpoints for potential lateral movement or command-and-control (C2) communication, and blocking untrusted scripts from executing within Microsoft Office applications.
4. Enforce a zero trust strategy that includes multi-factor authentication (MFA). A zero trust strategy relies on point-in-time verification, control, and restriction of access, achieved through controls such as MFA. While this can’t stop spear phishing from appearing in inboxes, if a user hands over credentials during an attack, this extra layer of access security can prevent the threat actor from moving deeper into the network or gaining access to vital applications.
5. Deploying security awareness training that includes phishing simulations. While most organisations have some form of security awareness training in place, having comprehensive training that utilises micro-learning, frequent sessions, and realistic phishing simulations, can not only enhance a culture of security but can help greatly reduce human risk.
Ultimately, protecting against spear phishing starts at the top. Leadership behaviour sets the tone for security culture, and when IT leaders consistently model strong security practices, they make those practices easier for others to follow.
Explore human risk factors within organisations, and what leadership can do to reduce that risk with Human Risk Behaviour Snapshot: 2nd edition.
Take a deep dive into both human risk and the value of proper security training with the Arctic Wolf Cybersecurity Awareness Summit.
