During the later years the term phishing has been well-known. It first became common in the security community, but soon it also became a normal word used without further explaination in ordinary news articles and other media.

Recently a specialized form for phishing has begun to appear - the term used for this is "spear phishing".

The "usual" phishing attempts are targeting several (usually many) more or less random individuals with the intent to get some of them to perform a special action that compromizes their personal information in some way.  Spear phishing on the other hand is not normally targeting the random individual.
Spear phishing is targeting a particular organization. This can be a phishing attempt from an organization against a competitor (most commonly for industrial espionage), from an intelligence agency against a suspicious company, or from criminal elements against law-and-order organizations.

Most persons have been warned numerous times about phishing attempts trying to trick them into revealing user names / passwords to banks etc. Presumably not many of us will any more believe that a bank sends request in an email asking for confirmation of e.g. user name / passwords / credit card information.
Enter spear phishing: The culprit then has the ability to custimize an extremely convincing fake email e.g. looking like it is sent from the person who is head of the IT department. The email can further be customized in such a way that it is obvious that it refers to that particular organization only. In any phishing attack scenario, it is the social engineering skills of the perpetrator, which determine the phishing attempts' success rate. In a spear phishing attack however, the potential for success is much higher.

The person who sets up the spear phishing attack have several different tools to use when any of the persons in the targeted organizations are successfully "hit by the spear". She can install backdoors on the compromized computer(s) and thereby being able to access the computer/network to obtain confidential information. She can install keyloggers that sends the keystrokes of user names and passwords to the attacker. She can install viruses that sends all files of a praticular type that the compromized computer can access, to the attacker. Etc. etc...

Unlike the more common general phishing attempts, the spear phishing attacks are more difficult to defend against. There are at least to reasons for this:

• the attacks are aimed against a small number of persons, thereby difficult for the security community to be aware of, provide protection against and alert about
• since the attacks are targeting personell in one particular organization, the social engineering techniques can be very specific and customized to the personnel in that organization only.