Spear phishing has become an endemic scourge: 95% of US and 83% of UK respondents in a recent Cloudmark survey said that they have experienced spear phishing attacks (91% combined).
Spear phishing is effective: despite deploying traditional security solutions, 84% of respondents experienced spear phishing attacks that penetrated their security solutions. It’s also costly: Of those experiencing attacks over the last 12 months, 81% suffered some negative impact as a result, with an average financial cost of $1.6 million—and some losses in the tens of millions of dollars.
Unfortunately, human awareness of the issue appears to be lagging the risk. A full 79% of respondents test their employees’ responses to spear phishing attacks, and 78% of those had failure rates of up to a quarter of their employees.
Only 3% had no failures.
Also, a good percentage of companies appear to be in a state of denial when it comes to the targets on their backs. Only 73% of respondents feel that spear phishing currently poses a threat to their organization. About three-quarters (77%) feel that it will pose a threat within the next 12 months. And this gap is reflected in respondents’ actions, as only 71% have implemented a specific solution to prevent spear phishing, leaving a large number of respondents poorly protected. Those 71% are depending on traditional anti-spam (84%) and anti-virus (81%) software to protect their users, along with staff training (79%) and educational campaigns (64%).
“The high financial losses—$1.6 million on average—are only part of the story; other respondents experienced loss of reputation or even customers, drop in stock price or other negative effects,” the report noted. “In some sectors, more than half of respondents (55%) suffered a loss of customers; in others, almost half (47%) suffered a financial loss.”
Anti-spam and anti-virus technology can be effective in blocking some kinds of generic phishing. About 45% of respondents have deployed secure web gateways or URL filtering solutions, which might be effective in protecting users from threats such as fake bank or webmail login pages hosted on hacked domains. And secure email gateways and file sandboxing (deployed by 58% and 28% of respondents, respectively) can be effective against malware deployment, an attack which 30% of respondents have experienced.
But ultimately, the human is the weakest link.
“For example, in so-called CEO fraud or Business Email Compromise (BEC) attacks, the spear phisher masquerades as the company’s CEO or another executive and instructs an employee in the finance department to send money via wire transfer to a bank account controlled by the phisher,” the report explained. “These messages almost never contain an attachment or a call-to-action URL, so they will bypass traditional security technology easily.”
BEC attacks are widespread. Sixty-three percent of respondents received spear phishing involving the spoofing of a CEO for financial gain in the last 12 months; in one sector, 48% received more than 30 such attacks over that period. Almost half of respondents said that the financial staff or department were specifically targeted in cyber-attacks.
Photo © igor.stevanovic