2021 has been witnessing phishing or pretexting — types of social engineering attacks, leading all Data Breach Reports. The fraudulent practice of sending emails to incite targeted individuals to divulge confidential information and make wire transfers is no more a C-Suite privilege. With attackers getting cannier in their approach, employees in sales, project management, human resources, and admin are on the hit list. With WFH being the norm and employees banking on virtual communication channels, cyberattackers have widened their target spectrum where impersonation is more convincing.
Barracuda, a provider of cloud-enabled security solutions, has released Spear Phishing: Top Threats and Trends Vol.6, highlighting the way spear phishing attacks are evolving and who cybercriminals are targeting with these attacks.
- An average organization is targeted by over 700 social engineering attacks in a year.
- 1 in 10 social engineering attacks is a business email compromise (BEC).
- 77% of BEC attacks target employees outside of finance and executive roles.
- An average CEO will receive 57 targeted phishing attacks in a year.
- 43% of phishing attacks impersonate Microsoft brands.
- 1 in 5 BEC attacks target employees in sales roles.
- IT staffers receive an average of 40 targeted phishing attacks in a year.
- Cryptocurrency-related impersonation attacks grew 192% between October 2020 and April 2021.
According to the report, an average organization is targeted by over 700 social engineering attacks each year, and 77% of BEC attacks target employees outside of financial and executive roles, including personnel working in roles like sales (19%), project management (10%), human resources (10%) and admin (9%).
Revealing trends on targeted spear phishing attacks, the report talks about CEOs attracting an average of 57 targeted attacks per year, and IT professionals who too are under fire, attract an average of 40 targeted spear phishing attacks per year.
“Cybercriminals are getting sneakier about who they target with their attacks, often focusing on employees outside of the C-Suite, looking for a weak link in your organization,” said James Wong, Regional Director for Southeast Asia, and Korea, Barracuda. “Targeting lower-level employees offers cybercriminals a way to get in the door and then work their way up to higher-value targets. That’s why it’s important to make sure you have protection and training for all employees, rather than just focusing on those you think are the most likely to be attacked.”
43% of Phishing Attacks Impersonate Microsoft
Communication from known sources, brands, services, and e-commerce portals are old tricks used by cyberbullies as they are more likely to be trusted and invoke a response.
According to the report, nearly half of all phishing attacks impersonate Microsoft (43%), followed by WeTransfer (18%), DHL (8%), and Google (8%) to lure unsuspecting victims.
With 79% of organizations using Office 365, and many more looking at migrating in the immediate future, it’s not surprising that Microsoft brands remain a top target for cybercriminals.
Cryptocurrency — The Currency of Choice for Cybercriminals
Cryptocurrency continues to be a favorite with cybercriminals due to its decentralized nature and lack of regulation. Being a digital format and increasingly getting accepted in businesses, cryptocurrency has seen an increase in value. Its price increased by almost 400% between October 2020 and April 2021. Hackers impersonated digital wallets and other cryptocurrency-related apps with fraudulent security alerts to steal log-in credentials.
Best practices to Protect Against Spear Phishing Attacks
- Take advantage of artificial intelligence
- Deploy account-takeover protection
- Implement Domain-based Message Authentication, Reporting, and Conformance (DMARC)
- Train staffers to recognize and report attacks
- Review internal policies
- Maximize data-loss prevention
As the vulnerabilities take innovative forms, organizations need to constantly keep vigil and invest in an inclusive approach to secure their last line of defense, ‘the employees,’ along with the business. Judicious use of technology and training can mitigate risk to a large extent and help avoid phishing attacks.