Financial organisations continue to be top targets for spear phishing emails, underscoring the message that every organisation must be vigilant through technology and training.
Barracuda researchers analysed 360,000 spear phishing emails over a three month period. They found that there are three types of attacks: blackmail, brand impersonation, and business email compromise.
“Spear phishing attacks are designed to evade traditional email security solutions, and the threat is constantly evolving as attackers find new ways to avoid detection and trick users,” explains Barracuda vice president of APAC sales, James Forbes-May.
Finance department employees are most heavily targeted by these attacks, because they are most likely to deal with banks and other financial institutions, the report suggests. The attackers attempt to steal bank account login details.
“Cybercriminals spend time researching an organisation and its employees before launching an attack. They impersonate an executive or other employee in an email, requesting a wire transfer or personally identifiable information from finance department employees and others with access to sensitive information. Once the money has been transferred to a fraudulent account, it's usually impossible to get it back,” the report says.
Attackers commonly impersonate Microsoft in order to take over accounts. Attackers take different approaches to Apple impersonation.
“In some attacks, cybercriminals send an email about a recent alleged iTunes purchase, asking for credit card details to cancel the order and provide a refund. The stolen information is used to commit financial fraud,” the report notes.
Subject lines on more than 70% of business email compromise attack emails try to establish rapport or a sense of urgency; many imply the topic has been previously discussed.
Scammers use name-spoofing techniques, changing the display name on Gmail and other email accounts to make the email appear to come from a company employee. This tactic can be especially deceiving to those reading the email on a mobile device.
The majority of subject lines on sextortion emails contain some form of security alert. Attackers often include the victim's email address or password in the subject line.
“Staying ahead of these types of attacks requires the right combination of technology and user training, so it's critical to have a solution in place that detects and protects against spear-phishing attacks, including business email compromise, brand impersonation, and sextortion,” concludes Forbes-May.
Protection can include multi-factor authentication, staff training that helps them to identify and report attacks, account takeover protection, DMAEC authentication and reporting, and maximising data loss prevention.
Statistics are taken from Barracuda's Spear Phishing: Top Threats and Trendsreport.