Spearphishing involves a component of social engineering
Compromising someone's digital security is time-consuming, though not for the reasons pop culture might suggest. Hacking isn't a matter of typing furiously into a cyberpunk-y computer terminal like in The Matrix (although Cooper Quintin--staff technologist at the Electronic Frontier Foundation -- did indeed spend much of our session typing into an old-fashioned command-line interface).
What he needed was time to skulk through my social-media profiles to figure out who I was, who my friends were, where I worked, who I worked with, who I was close to, who I would trust--the kind of information, thanks to social media, that's available to anyone who wants to look. This is the key difference between spearphishing and regular ol' phishing. Spearphishing involves a component of social engineering: It's the most boring kind of hacking, but also the most dangerous.
A social engineer might pretend to be a customer-service representative at Comcast, the IT guy at your company, even a FedEx automatic package-tracking e-mail. A good social engineer can convincingly take on the guise of a colleague, an acquaintance, a friend, even sometimes a relative. It's shocking the things you'll click on if you trust the sender.
Someone trying to collect a flag might pretend to be another employee working in a different department of the company, an outside salesperson making an inquiry, or the IT help desk. The goal is to pass under the radar; to be a boring, routine communication you answer without thinking twice. Good social engineers persuade people to give something away without a second thought, because the request is so innocuous--like a friend asking me to look at his or her Google Doc. Spearphishing is just another form of social engineering.