As we head into 2020, it’s clear that cybercriminals will continue using spear-phishing attacks as a go-to tactic for attacking victims. In these breaches, attackers heavily research their targets and craft carefully designed messages, usually impersonating a trusted colleague, website, or business. The attacks are designed to steal login credentials, financial data, and other information that can be used for other crimes.
Spear phishing commonly helps enable business email compromise (BEC) attacks. While BEC attacks are still a small percentage of spear phishing attacks overall, they have caused more than $26 billion in losses over four years, according to the FBI.
In a November 2019 report, “Spear Phishing: Top Threats and Trends,” Barracuda analyzed more than 1.5 million spear-phishing emails and identified common trends and types of attacks.
In this research, we identified four common types of spear-phishing attacks:
Brand Impersonation: This type of spear-phishing, designed to impersonate well-known companies and business applications, makes up nearly half of all attacks. They are the most popular type of attack because they are well designed as an entry point to harvest credentials and carry out account takeover.
Scams: These attacks are designed to capture private, sensitive, and personally identifiable information, such as bank accounts, credit card information, and Social Security numbers. Attackers trick victims into disclosing the information and then use it to either defraud them, steal their identities, or both. Attacks are executed using a variety of hooks, such as lottery winnings, unclaimed packages, donation solicitations, and other tactics.
Business Email Compromise: Also known as CEO fraud, whaling, and wire-transfer fraud, business email compromise only makes up a small percentage of spear-phishing attacks but it causes substantial losses. Scammers impersonate an employee in the organization, a partner, vendor, or other trusted person in an email requesting a wire transfer or personally identifiable information.
Blackmail: Most blackmail scams are sextortion attacks. Cybercriminals claim to have a compromising video, images, or other content allegedly recorded on the victim's computer and threaten to share it with all their email contacts unless they pay up.
Business Email Compromise is Costly
The Barracuda research focuses primarily on BEC attacks, because of their high cost. In these attacks, cybercriminals mimic typical business behavior in these operations, with most BEC attacks taking place on weekdays. The majority (85 percent) of BEC attacks are crafted to look like urgent requests meant to illicit an immediate response. As a result, three out of ten spear-phishing emails are successful in fooling employees if they impersonate HR or IT department personnel.
Because these attacks typically don’t include malicious links or attachments, they are often undetected by traditional email security tools. The attacks also rely on successful social engineering tactics.
In the past year , these types of spear-phishing attacks have cost an average financial loss of $270,000 per incident.
According to the report, business email compromise attacks have high click rates. One in ten spear-phishing emails successfully tricks a user into clicking. That number triples when the individual or department being impersonated is within the recipient’s organization. The survey also indicates that respondents believe the cost of these attacks is increasing, including financial impacts such as business interruption, reduced productivity, data loss, regulatory fines, and brand damage. One recent business email compromise scam cost a media conglomerate $29 million.
Stopping Spear-Phishing Attacks
Barracuda has identified several ways that companies can help protect their data and financial information from these types of BEC and spear-phishing attacks.
Educate Users: Train your customers’ employees on how to recognize employee impersonation. Be sure to point out that phishing attacks don’t always need to have a URL or an attachment, and remind them to double-check email addresses and to pay attention to unusual requests.
Create Robust Internal Policies: Establish policies and protocols that require additional safeguards for wire transfers and other financial transactions. Prohibit email requests for purchases and other monetary transactions. Ensure multiple people are involved in the approval process.
Enforce DMARC Authentication: Set up DMARC authentication to protect against attackers spoofing your email domain in their impersonation attacks.
Leverage Machine Learning: Don’t rely solely on traditional email security technologies, as most business email compromise attacks are designed to bypass security gateways. Machine learning technologies can analyze internal emails and learn an individual’s regular communication pattern. Using this data, artificial intelligence can spot anomalies to predict and detect attacks, that might otherwise go undetected.
Respond Quickly: Train your customers’ employees on how to recognize and report an attack. From there, you can use intelligence tools to perform threat hunting and deploy an automated incident response solution that identifies the scope of attacks and quickly removes malicious messages before any damage occurs.
To learn more, download the research report here.
Nathan Bradbury is Manager of Systems Engineering for Barracuda MSP, a provider of security and data protection solutions for managed services providers.