Q: What is spear phishing?
A: Regular "phishing" (pronounced just like "fishing") is basically spam e-mail spent indiscriminately to people hoping that some of them are dumb enough to click on the link and therefore enter their "real" information to be given away to scammers. It's spam technique combined with "fake login" technique. However, this is easily filtered. For example, if my bank account is at Chase, I will surely ignore all phishing attempts that wants me to reset my account at Wells Fargo or Citibank, as I don't have accounts there.
Spear phishing is a little different. Spear phishing is targeted at specific individuals in a specific organization and/or people in his/her social circle. It's still phishing, but this is highly targeted by gathering more information about the individual(s) in question. It is personalized phishing. In the example above, if the spear phishing wants to target the theoretical me, he will sent a fake login page in the name of Chase bank instead of banks I don't use.
If you know that the individual banks at a certain bank, and shops at a certain supermarket, you can sent fake logins to that individual request him/her to reset password at the bank website and/or supermarket website. This way, the fake logins are less likely to be ignored. It is "targeted" phishing, by taking advantage of 'social engineering'.
Spear phishing had been identified several months ago, but became popularized when Google pointed finger at China as origin of many spear phishing attacks aimed at Gmail users. China denies the allegations.
