The economics inversion of 2024
For two decades, defender economics in phishing rested on an implicit assumption that sophisticated lures were expensive to produce. A credible spear-phishing lure required 30 to 90 minutes of human research and writing time, at attacker labour rates of approximately $50 per hour in mature criminal markets. The unit economics floor was approximately $300 per successful compromise, which capped the attacker's willingness to deploy sophisticated phishing at low-value targets and produced a defender expectation that sophisticated phishing was rare relative to bulk phishing.
The 2024 large language model wave broke that assumption. A controlled Harvard study (Heiding et al., 2024) found fully AI-automated lures achieved a 54 percent click-through rate, matching human experts (also 54 percent) and far above the 12 percent arbitrary-phishing control, at under one cent of model-inference cost per lure. The unit economics floor for expert-grade phishing collapsed from approximately $300 per compromise to under one cent. The attacker can now produce sophisticated, personalised lures at bulk-phishing volume and unit cost, which is a five-order-of-magnitude shift in the economic balance between attacker and defender.
The defender implication is structural. The historic mental model of phishing as a category with a bulk-low-value tail and a sophisticated-high-value head has collapsed into a unified high-conversion category where every lure carries the personalisation and grammatical perfection that used to mark spear-phishing. Defenders should now assume that every phishing attempt is sophisticated-grade, that the conversion rate against any given user is approximately the 54 percent figure, and that defences which depended on the historic bulk-versus-spear distinction are no longer effective.[Heiding, Lermen & Schneier, Harvard, 2024 (arXiv 2412.00586) + ENISA AI Threat Landscape 2024]