Phishing dates back to the mid-nineties
. The first recorded phishing attacks were carried out by scammers who posed as AOL employees and sent emails to AOL subscribers, asking them to “verify” their account or “confirm” their billing information. Ever since then, phishers and anti-phishing technologies (chiefly email filters) have been locked in a war of attrition.
Old-fashioned phishing remains a problem. However, over the years, individuals and businesses have increasingly got wise to phishing. People are much savvier at spotting spam than they used to be. Modern email filters are powerful.
Spear phishing developed specifically to counter the declining effectiveness of phishing by introducing more sophisticated forms of imposture. By putting on a convincing and highly tailored digital mask, bad actors could reduce the quantity of their phishing, but significantly up its quality.
The 2010s saw numerous high-profile instances of successful spear phishing. Between 2013 and 2015, a Lithuanian cyber-criminal named Evaldas Rimašauskas managed to fool both Google and Facebook into sending him a total of $123 million
. Rimašauskas masqueraded as a vendor to both tech companies and delivered well-crafted and convincing invoices. In 2015, the New York-based Ubiquiti Networks fell victim to a spear phishing attack
. The fraudsters, impersonating the company’s CEO, invoiced the company's finance department and extracted $46.7 million into overseas accounts.
One of the most notorious spear phishing incidents of all was 2018’s Operation Sharpshooter
. An elaborate infiltration campaign attributed to North Korea’s Lazarus Group, the operation targeted 87 different firms. Spear phishing played a key role, as hackers posed as job recruiters to send weaponized Word documents (macros included in docs used an embedded shellcode to inject the Sharpshooter downloader into Word’s memory).
Today, spear phishing is an epidemic, and it is getting increasingly worse. In 2017, 76%
of global businesses fell victim to spear phishing. The following year, that figure rose to 83%.
In 2019, a massive 90%
of organizations faced spear phishing attacks.