75% of organisations have been hit by spear phishing

Phishing scams aren’t as compelling as some of the more sophisticated attacks that you read about. But their prosaic nature is part of what makes them so concerning.

After all, every unusual email you receive could be a phishing scam, whether it’s an account reset message from Amazon or a work request from your boss.

And evidence shows that attacks like this will happen regularly and in incredibly convincing ways. For example, Proofpoint’s Understanding Email Fraud Survey has found that 75% of organisations had been hit by at least one spear phishing email in 2018.

Spear phishing is a specific type of phishing attack in which criminals tailor their scams to a specific person. They do this by researching the target online ­– often using information from social media – and by imitating a familiar email address.

For example, if the target works at ‘Company X’, the attacker might register the domain ‘connpanyx’ (that’s c-o-n-n-p-a-n-y-x rather than c-o-m-p-a-n-y-x), hoping that the recipient won’t spot the difference.

You might think that would be easy enough to notice, but scammers are adept at hiding the signs of their scams.

Sustained threat of spear phishing

Proofpoint’s report found that 41% of organisations suffered multiple attacks in a two-year span, suggesting that those that fell victim once were likely to do so again.

It also found that only 40% of organisations have full visibility into email threats, meaning those organisations are being targeted regularly and simply aren’t aware of the scale of the threat.

See also:

Commenting on the report, Robert Holmes, vice president of email security products at Proofpoint, said:

“Email fraud is highly pervasive and deceptively simple; hackers don’t need to include attachments or URLs, emails are distributed in fewer volumes, and typically impersonate people in authority for maximum impact.

“These and other factors make email fraud, also known as business email compromise (BEC), extremely difficult to detect and stop with traditional security tools. Our research underscores that organizations and boardrooms have a duty to equip the entire workforce with the necessary solutions and training to protect everyone against this growing threat.”

Phishing is a top concern

Clearswift’s Cyber Threatscape report also highlights the threat of phishing. The information security organisation polled 600 decision makers and 1,200 employees in the UK, US, Germany and Australia, and found that 59% of respondents said phishing was their biggest concern.

Phishing was the number one risk in all four regions, beating out the threat of employees’ lax attitudes (33%), the vulnerability of removable devices (31%) and failure to remove login access from ex-employees (28%).

According Dr Guy Bunker, senior vice president of products at Clearswift, this report “highlights that businesses need to change the way they’re approaching the task of mitigating these risks”.

“The approach should be two-fold, focused on balancing education with a robust technological safety net. This will ultimately help ensure the business stays safe,” he adds.

How can you prevent phishing attacks?

There are several ways you can address the risk of phishing. The first is to conduct staff awareness courses to educate employees on how phishing scams work and what they can do to mitigate the risk.

These courses should be repeated annually to refresh employees’ memories and maintain a workplace culture that prioritises cyber security.

You may also benefit from a thorough re-evaluation of your approach to cyber security. Our Security Awareness Programme does just that, helping you generate tangible and lasting improvements to your organisation’s security awareness.

It combines a learning needs assessment to identify the areas that your organisation should focus on, with a series of tools and services to address problems as they arise, including hands-on support from a specialist consultant, pocket guides and e-learning courses.

Find out more about our Security Awareness Programme >>

A version of this blog was originally published on 9 April 2018.