Why social engineering and spear phishing are such constant business threats

Social engineering and spear phishing are persistently some of the major tactics used by cybercriminals today. While companies had often patched their hardware, software, and networks with sufficient protection, emails were still a gaping access point for bad actors.

When businesses embraced remote working due to the pandemic, many organizations had to speed up their entire digital transformation process. Some organizations were prepared to be fully digitized while others were still in the process of deciding components for their transformation journey.

Company devices had to be updated with the latest patches and software, and additional access accounts for sensitive data had to be created from remote locations. While companies did also enhance their email security, cybercriminals still managed to find ways to infiltrate the system.

According to Barracuda Networks’ Spear Phishing: Top Threat and Trends report, between May 2020 and June 2021, researchers have analyzed over 12 million spear phishing and social engineering attacks that impacted more than 3 million mailboxes at over 17,000 organizations.

Social engineering and spear phishing attacks occur when cybercriminals lure unsuspecting users into exposing data, spreading malware infections, or unwittingly giving access to restricted systems. Nowadays the attack is often manipulated to be personalized and targeted at specific individuals in an organization.

Interestingly, the report showed that 43% of phishing attacks impersonate Microsoft brands. Other brands being impersonated include WeTransfer, DHL, and Google. As such, hackers are most likely taking advantage of the popularity of Microsoft’s SaaS such as Office 365. The shift to remote working over the past year also most likely contributed to the increased figures.

For cybercriminals, the end goal is to steal login credentials. Once they have access to a user’s account, they can use it to launch malware attacks such as ransomware or even spy on what these companies are doing, and take advantage of their data.

Compromised email accounts can cause serious damage to an organization. One example of compromised user credentials was the Colonial Oil Pipeline hack. Reports showed that the ransomware hack was enabled by compromised passwords, leading the company to paying out a US$4.5 million ransom to restore operations.

Anyone can be a target

So who are the intended targets of these phishing emails and social engineering attacks?

Cybercriminals spend a lengthy amount of time researching their victims at their organizations. Social media sites and other publicly-available sources can supply them sufficient information to pick a target. Cybercriminals then plan and design an attack to target the specific individual with a customized message — the most common method being email.

With one in every ten social engineering attacks being business compromised emails (BEC), anyone in an organization is potentially a target for such an attack. Depending on scale and intent, the average CEO is reported to receive an average of 57 targeted phishing attacks in a year. BEC attacks target 1 in every 5 employees in a sales role while IT staffers receive an average of 40 targeted phishing attacks in a year. The CFO and finance department are also common targets for phishing emails, with finance department employees receiving an average of six targeted BEC attacks.

“Cybercriminals are getting sneakier about who they target with their attack. With the finance department being more secured, they are now targeting employees outside the finance and executive teams, often looking for a weak link in the organization,” said Don MacLennan, SVP, Engineering and Product Management, Email Protection at Barracuda.

MacLennan pointed out that by targeting lower-level employees, cybercriminals are having a new way to get inside and work their way towards higher-value targets. He added that it’s important to ensure businesses have sufficient cybersecurity protection and training for all their employees, regardless of position or role.

Shielding against social engineering and spear-phishing attacks

There are a number of ways that companies can protect their employees from social engineering and spear phishing attacks. While training employees is often considered the most straightforward method, mistakes can still happen now and then.

As people are often considered the weakest link in an organization’s security ecosystem, companies should also look into the policies it has when it comes to internal procedures. BEC attacks often request for funds to be transferred to third-party accounts via internal emails. Having internal policies that vet fund transfers, especially to third-party accounts, may just reduce the risk.

Another way of reducing attacks is by making use of AI-based cybersecurity solutions. Organizations can leverage machine learning solutions that analyze communication patterns in the company, to spot any anomalies that may indicate an attack. AI-based solutions like threat intelligence can also help spot any potential threats to the company.

Organizations should also look into deploying account-takeover protection. Deploy technology that uses AI to recognize when accounts have been compromised. It then remediates in real-time by alerting users and removing malicious emails sent from compromised accounts.

With cybercriminals only finding more ways to wreak havoc on organizations, employees need to be vigilant, especially when it comes to their work emails. At the end of the day, checking an email before replying to it or opening attachments could just save the entire organization.