Spear-phishing attacks make up just 0.1% of all email-based attacks but are responsible for two-thirds of all breaches, Barracuda Networks has found.
In a report published on 24 May 2023, cloud-based security provider Barracuda shared the results of a survey of IT professionals about their experience of spear phishing and analysis of 50 billion emails from 3.5 million mailboxes, which included around 30 million spear-phishing emails.
It found that, of the 1,350 organisations surveyed, half had fallen victim to a spear-phishing attack in 2022, while a quarter had at least one email account compromised via an account takeover.
Of those subject to a successful spear-phishing attack, 55% reported machines infected with malware or viruses, while 49% and 48% respectively reported having sensitive data or login details stolen. A further 39% reported direct monetary loss as a result of spear phishing.
“Even though spear phishing is low-volume, with its targeted and social engineering tactics the technique leads to a disproportionate number of successful breaches, and the impact of just one successful attack can be devastating,” said Fleming Shi, chief technology officer at Barracuda.
“To help stay ahead of these highly effective attacks, businesses must invest in account takeover protection solutions with artificial intelligence capabilities. Such tools will have far greater efficacy than rule-based detection mechanisms. Improved efficacy in detection will help stop spear phishing with reduced response needed during an attack.”
Barracuda added that spear phishing was an even bigger problem for organisations with more than 50% of their workforce working remotely. For example, those firms with more than 50% of employees remote working reported 12 suspicious emails a day, compared with nine for those with less than a 50% remote workforce.
Firms with more remote workers also reported it taking longer to detect and respond to email security incidents, although threat detection remains an issue across the board, with it taking 43 hours on average to detect the attack, and another 56 hours on average to respond and remediate once an attack is detected.
In terms of the main types of spear-phishing attacks being conducted, 47% revolved around scamming people out of sensitive personal information, such as bank account details, credit cards and Social Security numbers, while 42% were brand impersonation attempts that sought to harvest people’s account information.
A further 8% of attacks involved business account compromise, where scammers impersonate an employee, partner, vendor, or another trusted person in an email to request wire transfers or personally identifiable information, while 3% used extortion techniques.
The report noted that larger organisations cited a lack of automation as the main obstacle to preventing more rapid response to security incidents.
“Smaller companies cite additional reasons almost equally, including the lack of predictability (29%), knowledge among staff (32%) and proper security tools (32%),” it said.
“Smaller companies appear to be still in the process of adopting appropriate tools and appear to have difficulty hiring and retaining knowledgeable staff. Once organisations have the right people, processes and technology in place, they can take advantage of accelerators available to expedite response work, including automation.”
Barracuda also noted a difference in spear-phishing frequency between different email providers, with 57% of organisations using Gmail reporting a successful spear-phishing attack, compared with 41% for those using Microsoft.
“In the Microsoft environment, there are many security options available to layer on, which provides better protection,” it said.
In March 2023, email security company Egress found that 92% of organisations had fallen victim to a successful phishing attack in their Microsoft 365 environments over the past year, with a further 98% of cyber security managers expressing frustration with secure email gateway (SEG) technologies.
It recommended deploying integrated cloud email security (ICES) solutions that use behaviour-based security to detect anomalies in people’s actions to detect and stop advanced phishing threats.