Dive into the world of spear phishing — highly targeted email attacks that impersonate trusted contacts to steal credentials or deploy malware. These articles break down real attack examples, explain how attackers research victims, and offer concrete defense techniques.
posts
In January 2023, Reddit disclosed that an attacker had used a carefully crafted phishing email — targeting a specific employee with internal details about the company — to steal credentials and access internal systems. It wasn't a mass-blast scam. It was a precision strike. That's spear phishing in
The $47 Million Email That Fooled a Fortune 500 CFO In 2016, an Austrian aerospace company called FACC lost €42 million (roughly $47 million USD) because a threat actor impersonated the CEO in an email to the finance department. The message requested an urgent wire transfer for a fake acquisition
In March 2022, the threat actor group Lapsus$ breached Okta by spear phishing a single support engineer at a third-party contractor. That one compromised account gave the attackers a foothold that ultimately affected roughly 366 Okta customers. Not a mass email blast. Not a Nigerian prince scam. One carefully researched,
In March 2022, the FBI warned that business email compromise — a category dominated by spear phishing — cost victims over $2.4 billion in 2021 alone, making it the most financially damaging cybercrime category in the FBI IC3 Annual Report. That number dwarfs ransomware losses. So what is spear phishing, exactly,
In March 2022, the FBI's Internet Crime Complaint Center reported that business email compromise — a direct descendant of spear phishing — cost organizations over $2.4 billion in 2021 alone. That number dwarfs ransomware losses. Yet most people I talk to still think phishing means a badly written email
In July 2020, a teenager from Florida used spear phishing to compromise the internal tools at Twitter, hijacking 130 high-profile accounts — including those of Barack Obama, Elon Musk, and Apple — to run a Bitcoin scam. The attack didn't exploit some exotic zero-day vulnerability. It started with targeted messages
In December 2020, the world learned that SolarWinds — a company whose software sat inside thousands of government and corporate networks — had been compromised by a sophisticated nation-state threat actor. The initial intrusion vector? Targeted, carefully crafted communications designed to exploit trust. If you're asking what is spear phishing,
In 2020, a single spear phishing email sent to a Twitter employee gave attackers access to internal admin tools — and ultimately let them hijack verified accounts belonging to Barack Obama, Elon Musk, and Apple. The attackers walked away with over $100,000 in Bitcoin. That breach didn't start
The CEO Who Wired $17 Million to a Criminal In 2016, an executive at Austrian aerospace parts manufacturer FACC received what appeared to be a routine email from the company's CEO. The message instructed a wire transfer of approximately €42 million — roughly $47 million — to accounts controlled by
In 2023, MGM Resorts lost an estimated $100 million after a threat actor called Scattered Spider used a spear phishing phone call to trick a help desk employee into resetting credentials. One call. One employee. One hundred million dollars. That's not a bulk spam campaign — that's
