Spear phishers take aim at selected individuals, often at a targeted organization. The attacker taps into widely available personal and behavioral data to profile individuals, and then constructs a plan to lure the victim to click on a viral email attachment or navigate to a corrupted web page. Malicious code typically embeds itself on the victim's computing device, giving the attacker control.

Spear phishing continues to turn up as the trigger for massive network breaches at organizations including Target, Sony Pictures, Anthem and the U.S. Office of Personnel Management.

The Anti-Phishing Working Group, the global coalition of tech vendors, government agencies, law enforcement agencies and non-governmental organizations focused on the problem, just announced the number of observed phishing attacks in the first quarter of 2016 hit a new high since it began tracking them in 2004.

APWG Secretary General Peter Cassidy said, "It is not uncommon these days to see an attack that targets specific personalities within an enterprise and loads a malware payload that opens a pathway to the data the attackers prize."

The whitepaper noted spear phishing attacks are difficult to isolate from the white noise emanating from widely distributed, general email phishing campaigns. Spear phishing attacks, while not extensively broadcasted, usually involve a very small number of stealthy lures. However, once spear phishers gain a toehold on the computing device of the selected victim, the sky is the limit, the whitepaper noted.

The attacker has numerous ways to install malware, seek out privileged access accounts, and scour breached networks for confidential business plans, information about current negotiations and other valuable data. Cyberthieves can also manipulate, disrupt or destroy wide swaths of the breached organization's network.

Law enforcement officials refer to these types of attacks as business email compromise scams. The FBI reported a 270% increase in reported global losses from January to August 2015 due to BEC scams.

"Another reason spear phishing endures: Too many organizations continue to turn a blind eye and a deaf ear to this exposure," the whitepaper observed. "All businesses should assume they are being reconnoitered by bad actors and take methodical steps to identify, respond to and recover from spear phishing attacks."

The whitepaper pointed out there is no silver bullet to achieve impregnability to cyberattacks, nor is there any vaccination for spear phishing. It noted there are two encouraging developments gaining momentum, however.

First, new technologies to track malicious traffic, both probing and circulating inside private networks, are rapidly advancing; so too are systems to more efficiently collect, correlate, share and act upon useful intel.

Second, there is a rising consensus in the vendor community that wider intelligence sharing among vendors and between the private and public sectors is a worthy objective.

"Enterprises must ensure that their employees receive and interact with only authentic and trustworthy messages," the whitepaper said.