The two numbers that frame the page
Spear phishing is the targeted, researched form of phishing in which the attacker addresses a specific individual using personalised content drawn from public sources. The category is conceptually older than bulk phishing (it predates the spam-filter era), but the cost profile changed materially in 2024 with the arrival of usable large language model output for lure generation. Two numbers anchor the 2026 picture: $1.76M per successful incident on the defender side, and a 54 percent click-through rate on AI-automated lures, matching human experts and far above the 12 percent arbitrary-phishing control.
The defender-cost figure is from Verizon's 2025 Data Breach Investigations Report, summing the median IR engagement, credential-reset cycle, downstream pivot containment, and data-loss notification spend for breaches where spear phishing was confirmed as the initial vector. The click-through figures are from a controlled Harvard study (Heiding, Lermen and Schneier, 2024), which ran a head-to-head test across fully AI-automated lures, expert human-written lures, and an arbitrary-phishing control group, holding target population and delivery channel constant. Fully automated AI lures reached a 54 percent click-through, on par with the human experts (also 54 percent) and roughly 350 percent above the 12 percent control group. The result is broadly consistent with later field measurements from NCSC UK and CISA.[Verizon DBIR 2025 + Heiding et al., Harvard 2024 (arXiv 2412.00586)]