Spearphishing report: 50% of companies were impacted in 2022

Spearphishing report: 50% of companies were impacted in 2022

Spearphishing report: 50% of companies were impacted in 2022
Your email has been sent
Barracuda Networks found that spearphishing exploits last year worked to great effect and took days to detect.
Spearphishing is a sliver of all email exploits, but the extent to which it succeeds is revealed in a new study from cybersecurity firm Barracuda Networks, which analyzed 50 billion emails across 3.5 million mailboxes in 2022, unearthing around 30 million spearphishing emails. These findings are in the company’s new report about Spear-Phishing Trends.
While that proportion represents less than a tenth of a percent of all emails, half of the organizations the firm examined in the study, which includes findings from a survey of more than 1,000 companies, were victimized by spearphishing last year. A quarter had at least one email account compromised through an account takeover

Barracuda Networks’ study isolated the five most prevalent spearphishing exploits.
The company also found that Gmail users were more likely to be spearphishing victims than users of Microsoft 365 (57% versus 41%, respectively).
The report detailed the results of a Barracuda-commissioned survey conducted by the independent researcher Vanson Bourne, who polled 1,350 organizations with 100 to 2,500 employees across a range of industries in the U.S., EMEA and APAC countries.
The survey queried companies about damages they experienced as a result of email attacks. Over half said machines were infected with malware, and roughly half reported theft of confidential information
Remote work is increasing risks: Users at companies with more than a 50% remote workforce report higher levels of suspicious emails — 12 per day on average, compared to 9 per day for those with less than a 50% remote workforce. Companies favoring remote work also reported that it took longer to detect and respond to email security incidents — 55 hours to detect and 63 hours to respond and mitigate, compared to an average of 36 hours and 51 hours, respectively, for organizations with fewer remote workers.
On average, 10 suspicious emails were reported to IT on a typical workday, with users in India having reported the highest average number of suspicious daily emails — 15 per day, which is 50% above the global average. By contrast, the U.S. average was nine suspicious daily emails
According to the report, the relatively high number of reported incidents in India may be evidence that organizations there are struggling to prevent email attacks or that organizations in India are placing higher focus on suspicious emails.
The average organization received approximately five emails per day that were identified as spearphishing exploits, and these attacks garnered an average 11% clickthrough rate, according to the report.
From its survey of enterprises, Barracuda found that on average it takes nearly two days for organizations to detect an email security incident. On average, the enterprises polled by Barracuda took nearly 100 hours in total to identify, respond to and remediate an email exploit. They took 56 hours to respond and remediate after the attack was detected.
According to the report, from the respondents that experienced a spearphishing attack:
Fleming Shi, the chief technology officer of Barracuda, said email is still very much the main attack vector used against enterprises, even small to medium-sized businesses, with threat actors who go after large companies often seeking prizes above and beyond what can be filched from a single hit.
Shi said, “They might be going after a person, a brand, data exfiltration or anything going beyond just the first ransom attack, getting to the point where they can hold an enterprise ransom for multiple years or multiple payouts,” he said. “At the end of the day, financially motivated attacks are still going to be numerous, but we also have to watch out for nation-state or politically-driven cyberattacks that try to influence or change opinion and maybe even impact the 2024 election. These are also possible because all they have to do is tweak the weapon to have a different impact.”
The survey found that for 20% of organizations, it takes longer than 24 hours to identify an email attack. According to the study, the long period means users have time to click on a malicious link or respond to an email. Thirty-eight percent of respondents reported taking more than 24 hours to respond to and remediate attacks. Obstacles cited include lack of automation, predictability and knowledge among staff hampering the discovery process.
“Even though spearphishing is low volume, with its targeted and social engineering tactics, the technique leads to a disproportionate number of successful breaches, and the impact of just one successful attack can be devastating,” said Shi. “To help stay ahead of these highly effective attacks, businesses must invest in account takeover protection solutions with artificial intelligence capabilities. Such tools will have far greater efficacy than rule-based detection mechanisms. Improved efficacy in detection will help stop spearphishing with reduced response needed during an attack.”
Organizations victimized by spearphishing were more likely to say the costs associated with an email security breach increased in the last year: $1.1 million versus about $760,880 for those who were victims of other kinds of email attacks, according to the report.
According to Barracuda Networks, 36% of organizations in the U.S. use automated incident response tools, and 45% use computer-based security awareness training. Both groups report faster response times on average, which means they are using fewer IT resources, and those resources can focus on other tasks.
Larger organizations cite lack of automation as the most likely obstacle preventing a rapid response to an incident — 41% for organizations with more than 250 employees, compared to 28% for organizations with 100–249 staff. The smaller companies cite additional reasons almost equally, including:
Shi said it is likely that spearphishing, particularly related to conversation hijacking and business email compromise, will continue to prevail this year, with conversation hijacking building on past data breaches, basically where emails had been stolen.
“The example I will use is ProxyLogon, which was a vulnerability exchange by Microsoft where attackers took not only credentials but past email conversations that allowed them to reiterate and basically recreate a weapon based on previous interactions,” he said. “So, it makes it much easier to bypass all the guardrails, especially the human level awareness that we have.”
He also said that these attacks will be harder to block because not all of them are going to have links and attachments. “Sometimes it’s just an interaction to gain trust, and then it potentially leads to further access to the environment,” he said.
Shi sees the relationship between BECs and spearphishing as “intimate and symbiotic” because BECs can lead to additional phishing attacks, and phishing can lead to BECs.
“The main difference is that most BECs do not have links or attachments. It’s an interaction, a conversation that eventually leads to something bad happening. In order to get there, however, somebody has to compromise the environment. That weapon could be the initial spearphishing type of attack where credentials get stolen.”
Then, he added, with stolen credentials, actors can access the environment to identify communication patterns that continue the attack. “They somewhat camouflage themselves into the environment because once trust is built, an attacker can start activating new weapons that can be evasive to detection mechanisms.”
Barracuda Networks suggested machine learning is a useful tool for identifying anomalous emails through the establishment of normal communication patterns. And, that AI can be deployed to automatically recognize when accounts have been compromised.
The firm also suggests:
Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.
Spearphishing report: 50% of companies were impacted in 2022
Your email has been sent
Your message has been sent
TechRepublic Premium content helps you solve your toughest IT issues and jump-start your career or next project.
Get up and running with ChatGPT with this comprehensive cheat sheet. Learn everything from how to sign up for free to enterprise use cases, and start using ChatGPT quickly and effectively.
Get the most out of your payroll budget with these free, open source payroll software options. We’ve evaluated the top eight options, giving you the information you need to make the right choice.
We highlight some of the best certifications for DevOps engineers. Learn more about DevOps certifications.
With so many project management software options to choose from, it can seem daunting to find the right one for your projects or company. We’ve narrowed them down to these ten.
This Microsoft PowerToys app simplifies the process of visualizing and modifying the contents of the standard Windows Registry file.
Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.
PURPOSE Onboarding and offboarding employees requires careful attention. Otherwise, team members may receive insufficient permissions to perform their jobs or continue to have access long after their employment’s termination. Given the stakes, the problem is even worse when managing IT staff permissions, so it’s imperative that your company adopts a system to ensure consistency. Employees, …
PURPOSE TechRepublic Premium presents 10 tips for the Firefox open-source browser. Even if you only follow some of these, you’ll find your browser experience to be much improved. From the article: 1. USE CAUTION WITH ADD-ONS AND THEMES This is one of the first tips I always offer. I’ve seen web browsers with so many …
PURPOSE The purpose of this Bring your own device policy from TechRepublic Premium is to provide requirements for BYOD usage and establish the steps that both users and the IT department should follow to initialize, support and remove devices from company access. These requirements must be followed as documented in order to protect company systems …
PURPOSE Whether due to budget cuts or performance, letting staff go is sometimes a necessity. There are many steps and considerations HR managers need to navigate when it comes to employment termination. Enlisting an employee termination checklist, like this one from TechRepublic Premium, can help supervisors, managers and HR put in place best practices and …

source