In the New York Times article "Gone Spear Phishin’":

"The real challenge of spear-phishing is that it’s embarrassing, like head lice," said Alan Paller, research director at the SANS Institute, a group that trains and certifies computer security professionals. "Nobody wants to talk about it and say, ‘Look, we’re being hurt.’ There’s never been a better attack method than spear-phishing."

Obviously, this is an off-the-cuff quote, but it brings up an interesting question – what attack methods are best? There is plenty of reason to qualify what "best" means, but based on whatever prejudices you have, do you think there is a better attack method than spear-phishing?

I think I will toss in my vote for SQL Injection. It’s fairly straightforward, prevalent (at least was), and gets straight to the data.