Tessian Cloud Email Security intelligently prevents advanced email threats and protects against data loss, to strengthen email security and build smarter security cultures in modern enterprises. Show
Last year, 66% of organizations worldwide experienced spear phishing attacks. But some industries and departments are more likely to be targeted than others. In this article, we’ll identify examples of vulnerable employees, why they’re targeted, and what tactics hackers use to trick them into handing over sensitive information or initiating money transfers. We’ll be focusing on the following spear phishing methods.
Let’s get started… “Note: This article combines facts and figures from several different research reports. These personas were created to educate readers on the most targeted industries, what motivates hackers, the social engineering tactics they use in different circumstances, and what makes individuals more vulnerable to scams. ” John: Executive Assistant (New-Starter), Tech CompanyOur first spear phishing victim is John: An executive assistant working in tech.Why tech? Because it’s a highly targeted sector. Employees in tech firms are the most likely to fall for a social engineering scam, according to one study looking at companies with over 1,000 people. In fact, in medium-large tech companies, roughly half of employees will click on a malicious link or obey instructions in a phishing email. Those aren’t good odds. Within the tech industry, John is an executive assistant. Why is John’s role relevant? Because spear phishing is a targeted attack—cybercriminals are looking for individuals with access to high-value data. And executive assistants have that in spades. Think about it. Executive assistants:
In other words, John is in a near-perfect position of access and influence. John’s also a new starter, which makes him particularly vulnerable. He isn’t familiar with company policies. He doesn’t know everyone. And, for what it’s worth, he hasn’t had security awareness training yet. And psychologically, John’s “the new guy”—he’s keen to show initiative, avoid annoying his colleagues, and might be less likely to report his own mistakes. So when John gets a CEO fraud email from someone claiming to be the boss, he’s less likely to question it. How would a hacker know if a certain employee has recently joined a company?Spear phishing attacks require meticulous research. But finding out about a company and its employees is easy. LinkedIn accounts, company websites, annual reports—everything a cybercriminal needs to know about an organization’s structure and employees is laid out in public view. Learn more about how bad actors leverage publicly available information in this research report: How to Hack a Human. Lucy: Office Administrator, Healthcare CompanyOur second spear phishing victim is Lucy: an office administrator working in healthcare. Why healthcare? Two reasons:
And in healthcare, data breaches are particularly costly. In fact, for ten years running, healthcare has been the most expensive industry in which to experience a data breach, with the average single incident costing $7.13 million in 2020 (up 10% from 2019). Why is a healthcare breach so costly? It’s partly down to the value of patient data. Think about the types of data accessible to an office administrator working in healthcare:
Adam: Accounts Payable Manager, Manufacturing CompanyOur third spear phishing victim is Adam: an accounts payable manager working in manufacturing. Manufacturing is among the most targeted industries in social engineering incidents. And manufacturing firms a favorite for BEC attacks, because of the high volume of invoices being paid. Manufacturing companies are often part of long supply chains, which can be targeted in account takeover attacks. Because his job involves processing payments, Adam is particularly vulnerable to BEC—which frequently involves persuading accounts managers to pay fake invoices. BEC remains a cybercrime “growth sector”. FBI data shows that in 2020, BEC scammers made over $1.8 billion—far more than via any other type of cybercrime. Magda: Senior Partner, Law FirmMagda is our fourth spear phishing victim, and she’s a senior partner at a law firm. So far, we’ve looked at mid-level employees. But remember that when conducting spear phishing attacks, cybercriminals aim to get the most “bang for their buck.” That’s why they frequently target high-ranking employees through “whaling” attacks. Here’s why company executives can be the ultimate catch for a spear phishing attack:
About that last point: Tessian research suggests that more than half of employees felt they were more likely to make mistakes at work when they were stressed—and that high-ranking employees are among the most likely to fall for a phishing attack. Plus, Magda works in a law firm—and we know the legal sector is heavily targeted by spear phishing. As the U.K.’s National Cyber Security Centre reports: “The cyber threat to the UK legal sector is significant and the number of reported incidents has grown substantially over the last few years.” This increase in cybercrime is partly down to the rapid rate at which legal firms are adopting new technology. How can employees detect spear phishing attacks?Want to avoid ending up like our spear phishing victims? There are a few basics steps you can take:
But note that humans are often not capable of detecting the subtle differences between phishing emails and authentic emails. And spam filters, antivirus software, and other legacy security solutions just aren’t enough. How Tessian prevents spear phishing attacksTessian Defender uses machine learning, anomaly detection, behavioral analysis, and natural language processing to detect even the most discrete phishing signals. Here’s how it works.
Once it detects a threat, Tessian alerts employees that an email might be unsafe, explaining the threat in easy-to-understand language. Who is most targeted by phishing attacks?Adults aged between 25 and 34 years or 35 and 44 years were more likely to receive a phishing message (58% and 60% respectively) than other age groups.
Who are the victims of spear phishing?Spear phishing is an email or electronic communications scam targeted towards a specific individual, organization or business. Although often intended to steal data for malicious purposes, cybercriminals may also intend to install malware on a targeted user's computer.
Does spear phishing target a wide audience?While phishing emails are sent to a large group of people, spear phishing emails are sent to a select group or an individual. By limiting the targets, it is easier for the spear phisher to include personal information -- like the target's first name or job title -- and make the malicious emails seem trustworthy.
|