Security researchers at the Georgia Institute of Technology say the attacks often take the form of emails that seem to originate from a fellow worker or a superior, asking workers to visit a particular website or provide some personal or work-related information.
The website may attempt to install malware into the corporate network, launch a virus or ask for a user's password, they said.
"Spear phishing is the most popular way to get into a corporate network these days," researcher Andrew Howard said. "Because the malware authors now have some information about the people they are sending these to, they are more likely to get a response. When they know something about you, they can dramatically increase their odds."
Public information, much of it from social media sites, often provides the attacker with that personal information.
The weakest link in a corporate network can be a single worker who falls for an authentic-looking email, the researcher said.
"Organizations can spend millions and millions of dollars to protect their networks, but all it takes is one carefully crafted email to let someone into it," Howard said. "It's very difficult to put technical controls into place to prevent humans from making a mistake. To keep these attacks out, email users have to do the right thing every single time."