Spear-phishing attacks still happen and are still successful

A colleague recently told me about an organisation that successfully thwarted a highly sophisticated spear phishing attack, which no doubt saved them a serious amount of money and backlash from customers.

But how often are spear phishing attacks stopped in their tracks? According to researchers at security firm Symantec, not very often:

“The FBI estimates that the amount lost to BEC (Business Email Compromise) between October 2013 and August 2015 was over $1.2 billion. With such huge returns, it’s unlikely that these scams will cease any time soon.”

“BEC attackers target senior-level employees rather than consumers as it’s easier to scam them out of large amounts. In one incident, we observed the scammers asking the target to transfer over US$370,000. By requesting large amounts of money, the scammers only need to be successful a couple of times to make a profit,” Symantec researchers explained.

Who are the targets?

A normal phishing email generally doesn’t have a specific target. They target broad groups, such as people who have eBay accounts or use PayPal.

A spear phishing email, however, has a specific target and that’s what makes them successful. An example of a spear phish would be a cyber criminal sending an email that appears to be from the CEO to the CFO, asking for a specific sum to be wired to an account. The criminal will often say something such as “don’t worry about calling me to confirm, I’m about to board a plane”.

Unfortunately, this works. You and I can sit here and think, “Ha, how could you fall for that?” – but we have the training and knowledge that prepares us for these attacks. What guarantee is there that a CFO or someone in a similar role is aware of these email attacks?

The Symantec researchers supported the common opinion that “User education is the most effective means of protecting companies against BEC scams”.

View our new Infographic: phish your staff before cyber criminals do

Are your employees resistant to phishing attacks - infographic

One Response

  1. Lars-Gunnar Marklund 4th August 2016