PHISH-BEC

Between roughly 2013 and 2015, Lithuanian national Evaldas Rimasauskas ran a business email compromise scheme that defrauded Google and Facebook of about $120 million. He registered a company in Latvia under the same name as Quanta Computer, a Taiwan-based hardware maker both firms genuinely did business with, then emailed forged invoices, contracts, and letters on spoofed corporate letterhead to employees who routinely paid Quanta. The companies wired payments to attacker-controlled bank accounts — Facebook nearly $100 million and Google over $23 million — before the fraud was detected. Rimasauskas was arrested in March 2017, pleaded guilty to wire fraud in March 2019, and was sentenced to five years in prison and ordered to forfeit nearly $50 million. Both companies recovered most of the funds. It remains the textbook large-scale vendor-impersonation BEC.

Quishing delivers the phishing link as a QR code instead of a clickable URL, usually embedded in an email body, a PDF, or an image so it survives URL-reputation and link-scanning filters that only parse text. Scanning the code moves the victim onto a personal phone, outside enterprise EDR, proxy, and email controls, where a fake login page harvests credentials and is frequently chained with adversary-in-the-middle to steal the session. Adoption is rising fast: Microsoft reported QR-code phishing up roughly 146% and said pre-delivery scanning blocked about 1.5 million quishing attempts per day in 2024, and kits increasingly fold QR codes into OAuth device-code phishing flows.

Spear phishing is a phishing attack crafted for a specific person or organization using reconnaissance — role, current projects, colleagues, vendors — so the lure looks legitimate, unlike high-volume bulk phishing. The payload is usually a credential-harvesting login page or a weaponized attachment. It is the dominant initial-access vector behind major breaches (RSA in 2011, the 2016 Clinton-campaign compromise) and the entry point for most ransomware and BEC. Because it exploits human trust rather than a software flaw, technical controls alone do not stop it: defense pairs detonation and email authentication with phishing-resistant MFA and least privilege so a single phished account is contained.

In March 2016, Clinton campaign chairman John Podesta received a spear-phishing email disguised as a Google security alert warning that someone had his password and urging an immediate reset via a Bitly-shortened link to a fake Google login page. An IT aide asked to vet it replied that the email was 'legitimate' — reportedly a typo for 'illegitimate' — and Podesta entered his credentials on the attacker page. The Russian GRU group Fancy Bear (APT28) harvested the password and exfiltrated roughly 50,000 emails, later published by WikiLeaks during the U.S. election. No malware and no software exploit were involved: one convincing fake login page and one click. It is the canonical example of credential-harvesting spear phishing with outsized real-world impact.

In March 2011, attackers breached RSA Security (then part of EMC) with a spear-phishing email. Two small batches of messages subject-lined '2011 Recruitment Plan' were sent to low-profile employees with an Excel attachment; opening it triggered an Adobe Flash zero-day (CVE-2011-0609) that installed a Poison Ivy backdoor. From that single foothold the attackers escalated privileges, identified and stole privileged-user credentials, and exfiltrated data related to RSA's SecurID two-factor tokens. The stolen seed-related data was subsequently used in an attempted intrusion at defense contractor Lockheed Martin. RSA ultimately offered to replace SecurID tokens for affected customers, with remediation costs reported around $66 million. It is the canonical case of one opened attachment cascading into a supply-chain-grade compromise.

Adversary-in-the-middle phishing defeats most multi-factor authentication by proxying the real login page. The victim is lured to a reverse-proxy site (Evilginx, EvilProxy, Tycoon 2FA) that relays every request to the genuine service, so the user completes username, password, and the MFA challenge against the real site while the proxy silently captures the resulting session cookie. With that cookie the attacker replays an already-authenticated session and skips MFA entirely, then often pivots to business email compromise. Microsoft tracked an AiTM campaign that attempted to target more than 10,000 organizations from September 2021. One-time-code and push MFA do not stop it; only phishing-resistant, origin-bound credentials do.