As spear-phishing tactics continue to evolve, attackers are using these threats with greater frequency and severity, making spear-phishing attacks the top threat vector for many organizations, according to a new report from Barracuda Networks.
Despite increased awareness of the types of threats they face, companies continue to fall victim to spear-phishing campaigns because attacks are becoming more tailored, with malicious actors leveraging social engineering tactics such as urgency and brevity, the report found.
The email threat report analyzed 350,000 spear-phishing emails and discovered that brand impersonation schemes – most notably Apple or Microsoft – account for 83% of spear-phishing attacks. “These types of spear-phishing attacks, designed to impersonate well-known companies and commonly-used business applications, are by far the most popular because they are well designed as an entry point to harvest credentials and carry out account takeover. Brand impersonation attacks are also used to steal personally-identifiable information, such as credit card and Social Security numbers.”
Attackers often exploit zero-day vulnerabilities in brand-impersonation attacks, which makes it easier to bypass traditional email security because they come from reputable senders and are typically hosted on domains that weren’t previously used as part of any malicious attack, the report said.
The attacks are not randomly deployed, as the report found that cyber-criminals carefully time their attacks, with one in five emails delivered on Tuesday. In addition, cyber-criminals also take advantage of the holiday season, knowing that there is a greater likelihood of security weaknesses.
The report found that the week before Christmas saw a 150% spike in spear-phishing attacks.
“Spear phishing attacks are designed to evade traditional email security solutions, and the threat is constantly evolving as attackers find new ways to avoid detection and trick users,” said Asaf Cidon, VP, content security at Barracuda Networks, in a press release. “Staying ahead of these types of attacks requires the right combination of technology and user training, so it’s critical to have a solution in place that detects and protects against spear-phishing attacks, including business email compromise, brand impersonation, and sextortion.”
Barracuda will discuss findings from this research in the Infosecurity Magazine Online Summit keynote, next Tuesday, 2:30–3:00 pm GMT. Register to attend at https://www.infosecurity-magazine.com/online-summits/online-summit-emea-2019-1-1-1-1-1/.