Who is the target of spear phishing?

Tessian Cloud Email Security intelligently prevents advanced email threats and protects against data loss, to strengthen email security and build smarter security cultures in modern enterprises.

Last year, 66% of organizations worldwide experienced spear phishing attacks. But some industries and departments are more likely to be targeted than others. In this article, we’ll identify examples of vulnerable employees, why they’re targeted, and what tactics hackers use to trick them into handing over sensitive information or initiating money transfers.

We’ll be focusing on the following spear phishing methods.

For more information about these different types of attacks, click the links above. Unsure what exactly spear phishing is?  Read this article: Phishing vs. Spear Phishing: Differences and Defense Strategies.

Let’s get started…

“Note: This article combines facts and figures from several different research reports. These personas were created to educate readers on the most targeted industries, what motivates hackers, the social engineering tactics they use in different circumstances, and what makes individuals more vulnerable to scams. ”

John: Executive Assistant (New-Starter), Tech Company

Our first spear phishing victim is John: An executive assistant working in tech.Why tech? Because it’s a highly targeted sector. Employees in tech firms are the most likely to fall for a social engineering scam, according to one study looking at companies with over 1,000 people.

In fact, in medium-large tech companies, roughly half of employees will click on a malicious link or obey instructions in a phishing email. Those aren’t good odds. Within the tech industry, John is an executive assistant.

Why is John’s role relevant? Because spear phishing is a targeted attack—cybercriminals are looking for individuals with access to high-value data. And executive assistants have that in spades. Think about it. Executive assistants:

• Have extensive access to credit card data, employee data, and intellectual property
• Have access to executives’ email accounts, and know their itinerary and travel arrangements
• Work autonomously and have decision-making capabilities

In other words, John is in a near-perfect position of access and influence. John’s also a new starter, which makes him particularly vulnerable. He isn’t familiar with company policies. He doesn’t know everyone. And, for what it’s worth, he hasn’t had security awareness training yet.

And psychologically, John’s “the new guy”—he’s keen to show initiative, avoid annoying his colleagues, and might be less likely to report his own mistakes. So when John gets a CEO fraud email from someone claiming to be the boss, he’s less likely to question it.

How would a hacker know if a certain employee has recently joined a company?

Spear phishing attacks require meticulous research. But finding out about a company and its employees is easy. LinkedIn accounts, company websites, annual reports—everything a cybercriminal needs to know about an organization’s structure and employees is laid out in public view. Learn more about how bad actors leverage publicly available information in this research report: How to Hack a Human.

Lucy: Office Administrator, Healthcare Company

Our second spear phishing victim is Lucy: an office administrator working in healthcare. Why healthcare? Two reasons:

• First, according to a sector-by-sector study, the healthcare industry is the most vulnerable to social engineering attacks overall (without taking company size into account). 
• Second, healthcare employees are most likely to be involved in privilege misuse incidents.

And in healthcare, data breaches are particularly costly. In fact, for ten years running, healthcare has been the most expensive industry in which to experience a data breach, with the average single incident costing $7.13 million in 2020 (up 10% from 2019).

Why is a healthcare breach so costly? It’s partly down to the value of patient data. Think about the types of data accessible to an office administrator working in healthcare:

• Health records
• Clinical trials
• Insurance information
• Credit card details
• Patient data
• Employee data
• Payroll information

Lucy is vulnerable to email spoofing attacks, where a phishing email appears to come from a trusted domain. According to the FBI, spoofing attacks have risen by 81% since 2018. Healthcare firms are often poorly equipped to deal with cybersecurity incidents, as shown by the recent spate of ransomware attacks on hospitals. Therefore, they may lack software capable of identifying a spoofed email account.

Adam: Accounts Payable Manager, Manufacturing Company

Our third spear phishing victim is Adam: an accounts payable manager working in manufacturing. Manufacturing is among the most targeted industries in social engineering incidents. And manufacturing firms a favorite for BEC attacks, because of the high volume of invoices being paid.

Manufacturing companies are often part of long supply chains, which can be targeted in account takeover attacks. Because his job involves processing payments, Adam is particularly vulnerable to BEC—which frequently involves persuading accounts managers to pay fake invoices.

BEC remains a cybercrime “growth sector”. FBI data shows that in 2020, BEC scammers made over $1.8 billion—far more than via any other type of cybercrime.

Magda: Senior Partner, Law Firm

Magda is our fourth spear phishing victim, and she’s a senior partner at a law firm. So far, we’ve looked at mid-level employees. But remember that when conducting spear phishing attacks, cybercriminals aim to get the most “bang for their buck.” That’s why they frequently target high-ranking employees through “whaling” attacks.

Here’s why company executives can be the ultimate catch for a spear phishing attack:

• They control large budgets
• They have power over many employees
• They’re busy, often stressed, and can easily make mistakes

About that last point: Tessian research suggests that more than half of employees felt they were more likely to make mistakes at work when they were stressed—and that high-ranking employees are among the most likely to fall for a phishing attack.

Plus, Magda works in a law firm—and we know the legal sector is heavily targeted by spear phishing. As the U.K.’s National Cyber Security Centre reports: “The cyber threat to the UK legal sector is significant and the number of reported incidents has grown substantially over the last few years.”

This increase in cybercrime is partly down to the rapid rate at which legal firms are adopting new technology.

How can employees detect spear phishing attacks?

Want to avoid ending up like our spear phishing victims? There are a few basics steps you can take:

1. Learn to spot the signs of a spear phishing email
2. Avoid email impersonation by checking for inconsistencies in senders’ email addresses.
3. Hover over links to see where they lead before clicking on them.
4. Verify non-routine payment instructions over the phone.

But note that humans are often not capable of detecting the subtle differences between phishing emails and authentic emails. And spam filters, antivirus software, and other legacy security solutions just aren’t enough.

How Tessian prevents spear phishing attacks

Tessian Defender uses machine learning, anomaly detection, behavioral analysis, and natural language processing to detect even the most discrete phishing signals. Here’s how it works.

1. Tessian’s machine learning algorithms analyze your company’s email data. The software learns every employee’s normal communication patterns and maps their trusted email relationships — both inside and outside your organization.
2. Tessian inspects both the content and metadata of inbound emails for any signals suggestive of phishing, like suspicious payloads, geophysical locations, IP addresses, email clients, or sending patterns.

Once it detects a threat, Tessian alerts employees that an email might be unsafe, explaining the threat in easy-to-understand language.

Who is most targeted by phishing attacks?

Who are the victims of spear phishing?

Does spear phishing target a wide audience?