Why anti-spams fail on spear phishing
Traditional anti-spams (Microsoft Defender, Proofpoint, etc.) classify an email based on:
- Sender IP reputation (blacklists)
- Content ("viagra", "cialis" keywords, etc.)
- Attachments (known malware signatures)
- URLs (known domain blacklists)
However, a typical spear phishing is sent from a real compromised mailbox or a new mailbox impersonating a colleague's name, without malicious attachment, without known URL, without suspicious keyword. Classic anti-spams let it through because it looks like a legitimate email.
The 4 spear phishing patterns
1. Internal name impersonation
Email claiming to come from your CEO, but sent from p.smith@gmail.com when the real address is p.smith@your-company.com. The displayed name is correct, the address isn't.
2. Cousin domain
The attacker buys a domain very close to yours: your-company-corp.com, your-companÿ.com (with ÿ), your.enterprise.com. The first characters are identical, the brain doesn't see the difference.
3. Supplier account compromise
Your real supplier is hacked. The attacker sends from their actual mailbox "Our IBAN has changed, please update". The email is technically legitimate (SPF/DKIM pass) but the content is fraudulent.
4. Pretexting
The attacker has done research: they know the current project, the CFO's name, the schedule. The email says "As agreed during Tuesday's meeting, here are the wire transfer details." No technical marker betrays it.
How Fiabli detects spear phishing
Our AI is trained to recognize spear phishing-specific patterns:
- Display name spoofing detection: we compare the displayed name to all real addresses in your tenant. If "Pierre Smith" is used by an external sender to your domain, alert.
- Cousin domain detection: Levenshtein algorithm to calculate distance between sending domain and your domain. Distance ≤ 2 characters = alert.
- Sudden behavior change detection: if a supplier usually at
billing@supplier.comsuddenly sends frombilling@supplier.com.io, alert. - Claude Sonnet 4.6 contextual analysis: on wire transfer requests / IBAN change / financial urgency, automatic escalation to Sonnet for fine analysis.
The role of humans: training remains essential
No AI, however good, replaces a trained team. Best practices to instill in any organization:
- Double validation for any unusual transfer, via a different channel (phone, in person)
- Verify IBAN systematically: an IBAN change from a known supplier = mandatory phone call
- Never click an urgent email link: go directly to the official site
- Regular awareness training: short sessions (15 min) every 6 months, real examples
Return on investment
According to the IBM 2024 "Cost of a Data Breach" report, the average cost of a successful wire fraud in European SMB is ~€50,000. For healthcare, it climbs to €165,000. For finance, €200,000+.
Compared to a Fiabli SMB subscription (€79/month = €948/year), a single phishing avoided per year pays for the tool 50× over. Not counting time saved on manual analyses and the peace of mind regained by the team.
Going further
Spear phishing is probably the most underestimated cyber risk in SMBs. It doesn't make headlines like ransomwares but it silently empties accounts. Defense rests on 3 complementary pillars: technical (AI detection + strict SPF/DKIM/DMARC), process (double validation, training), cultural (free up speech about doubts — a colleague should never fear asking "is this email legit?").
To activate advanced spear phishing detection on your business mailboxes, create a Fiabli TPE or PME plan account and benefit from Sonnet 4.6 analysis on critical cases.
Ready to protect your mailbox?
Activate Fiabli in 2 minutes. First verdict in under 2 seconds. Free plan forever.
Create a free account