An average CEO receives 57 phishing emails a year, but other C-suites and non-executives like sales and IT employees are getting hit just as hard. This is according to new research from security firm Barracuda Networks, which analyzed over 12 million email attacks impacting more than three million mailboxes at roughly 17,000 organizations.
â€œIt affirms our view that these attackers are becoming more patient than before and that they are willing to spend time to build trust and social engineer their way to target more valuable assets eventually,â€ Barracuda CTO Fleming Shi told VentureBeat.
Sales employees make great targets because they frequently interact with people outside their organizations, Shi said. Theyâ€™re the targets in 20% of enterprise business email compromise (BEC) attacks, with malicious actors often manipulating sales orders, quotes, and other business emails. IT staffers are also common targets, because their access to IT infrastructure is extremely valuable for attackers in establishing persistence in the network and planning lateral movements. They receive over 40 phishing attempts annually on average, according to the research. Overall, Barracuda found an average organization is targeted by over 700 social engineering attacks in a year, 49% of which are phishing attacks specifically.
Who attackers are impersonating
In addition to who is being targeted, Barracuda also looked into what exactly those phishing emails look like â€” specifically, who theyâ€™re impersonating. The research shows Microsoft is the most impersonated brand by far, with 43% of attackers posing as the company. This has been the case since 2018, according to security company Vade. In the first six months of 2021 alone, â€‹â€‹Vade found 12,777 Microsoft phishing URLs. The company also recently discovered that hackers actually co-opted one of Microsoftâ€™s anti-phishing features to launch more sophisticated phishing attacks.
â€œItâ€™s pretty telling that Microsoft continues to be impersonated more than any other brand,â€ Shi said. â€œNot only because Microsoft is a trusted name, [but] also because they are the identity provider which most of the organizations are using.â€
According to Barracuda, WeTransfer and DHL are the other most impersonated brands and, along with Microsoft, have comprised the top three since 2019. Impersonation of WeTransfer especially has been on the rise, doubling from being used in 9% of phishing attacks in 2019 to 18% this year. The company also found attackers impersonating Google, eFax, DocuSign, USPS, Dropbox, Xerox, and Facebook.
Rise in phishing attacks
If it feels like phishing attacks are everywhere, thatâ€™s because they are. In the aforementioned report, Vade also revealed a major jump in phishing attacks since the start of the year, with a 281% spike in May and another 284% increase in June. Shi said these types of attacks are â€œunfortunately very effectiveâ€ and are rising because theyâ€™re used to steal credentials.
These numbers reflect other recent research from IT asset monitoring, management, and security platform provider Ivanti, which surveyed organizations about recent attacks. According to the report, 80% of respondents said theyâ€™d seen an increase in the number of phishing attempts targeting their organizations, and 74% said their organizations had fallen victim to a phishing attack in the last year. In that research, nearly 75% of respondents said IT staff were the targets.
Both of these reports, as well as many others, show not only that attacks are happening more often, but that they are getting more sophisticated, too. Thomas Briend, the Vade engineer who uncovered the Microsoft 365 tactic, said itâ€™s â€œa first in terms of API abuse,â€ as far as he knows. Shi also specifically called out new links between cryptocurrencies and spearfishing, which describes phishing attacks that are targeted at specific individuals or organizations. While Bitcoin has always been used to collect ransom payments, hackers have increasingly been impersonating digital wallets and other related apps to steal valuable cryptocurrency directly. The report notes this has been happening over the past eight months, coinciding with the recent spike in Bitcoinâ€™s value.
Overall, Shi believes weâ€™re entering a phase he calls the â€œpost-breach era,â€ where we have to accept that a large portion of our data and credentials have already been stolen.
â€œWe have to have visibility, detection, and response capabilities to ensure we stop the criminals,â€ he said. â€œI want to be clear, this is not an easy task given how complex the attacks are.â€