A colleague recently told me about an organisation that successfully thwarted a highly sophisticated spear phishing attack, which no doubt saved them a serious amount of money and backlash from customers.
But how often are spear phishing attacks stopped in their tracks? According to researchers at security firm Symantec, not very often:
“The FBI estimates that the amount lost to BEC (Business Email Compromise) between October 2013 and August 2015 was over $1.2 billion. With such huge returns, it’s unlikely that these scams will cease any time soon.”
“BEC attackers target senior-level employees rather than consumers as it’s easier to scam them out of large amounts. In one incident, we observed the scammers asking the target to transfer over US$370,000. By requesting large amounts of money, the scammers only need to be successful a couple of times to make a profit,” Symantec researchers explained.
Who are the targets?
A normal phishing email generally doesn’t have a specific target. They target broad groups, such as people who have eBay accounts or use PayPal.
A spear phishing email, however, has a specific target and that’s what makes them successful. An example of a spear phish would be a cyber criminal sending an email that appears to be from the CEO to the CFO, asking for a specific sum to be wired to an account. The criminal will often say something such as “don’t worry about calling me to confirm, I’m about to board a plane”.
Unfortunately, this works. You and I can sit here and think, “Ha, how could you fall for that?” – but we have the training and knowledge that prepares us for these attacks. What guarantee is there that a CFO or someone in a similar role is aware of these email attacks?
The Symantec researchers supported the common opinion that “User education is the most effective means of protecting companies against BEC scams”.