By Josh Yavor, Chief Information Security Officer, Tessian
Gone are the days of bulk spear phishing attacks, where hackers send scam emails and malicious attachments to as many people as possible and hope for a bite. Spear phishing techniques are growing more targeted and sophisticated, according to new data from Tessian that sheds light on the latest attack methods.
Tessian’s report analyzed two million malicious emails that bypassed traditional email defenses like secure emails gateways within the past year. It found that hackers are targeting employees with more tailored emails that reap big rewards, like wire transfer fraud. Account takeover attacks are also a major threat that costs businesses $12,000 on average.
With emails bypassing defenses, humans are left as organizations’ last line of defense against these email scams. But it’s unreasonable to expect each employee to be a cybersecurity expert and identify these attacks every time. Instead, organizations must build a strong cybersecurity culture that encourages people to flag suspicious activity and empowers them with the tools they need to stay secure on channels like email. This starts with understanding the latest threats and building a cybersecurity culture around them.
The State of Spear Phishing
Who is being targeted and when?
Tessian’s report found that the average employee receives 14 malicious emails per year, but that number jumps significantly for highly targeted industries. For example, retail employees received 49 malicious emails per year, while manufacturing employees received 31. Those sectors are also experiencing staffing shortages from The Great Resignation, leaving employees stressed, distracted and potentially more vulnerable to falling for a scam. These risks must be prioritized as companies navigate hiring and turnover challenges.
Bad actors try to trick employees by sending malicious emails in the late afternoon, hoping to slip past a tired or distracted employee. The most common times for spear phishing emails to be sent was 2 p.m. and 6 p.m. Bad actors also take advantage of the holidays by offering “too good to be true” deals. The biggest spike in malicious emails came immediately before and after Black Friday.
What’s the latest attack playbook?
Impersonation techniques continue to be a go-to strategy in the spear phishing playbook. Tessian found that display name spoofing was the most common tactic, found in 19% of malicious emails. These attacks use deceptive display names on an email to mislead employees. For example, a display name might show the first and last name of the company’s Chief Financial Officer requesting a wire transfer. While the email address itself may still look suspicious, a recipient often only looks at the name of the sender and could mistake it for a legitimate request.
Domain impersonation, on the other hand, happens when bad actors secure a domain that looks like it belongs to a legitimate business. This technique was used in 11% of malicious emails. The brands most likely to be impersonated were Microsoft, ADP, Amazon, Adobe Sign and Zoom.
What are bad actors after?
Tessian’s analysis found that tricking users into downloading malware remains a common motive of phishing emails. Malicious links still prove to be a popular and effective technique, with almost half (44%) of malicious emails containing a URL.
Our researchers found more emails related to wire transfers than credential theft, suggesting cybercriminals are still largely focused on financial gain. For example, they’re more likely to try to steal money by impersonating a vendor and requesting a payment than by posing as an IT person requesting an employee’s password.
Building a Cybersecurity Culture from The Ground Up
These attacks are evolving and growing more sophisticated every day. Having a strong cybersecurity culture is more important than ever to ensure employees can work both securely and productively. Rather than getting in their way, an effective cybersecurity culture images employees as part of the solution while providing the tools they need to stay secure.
This involves a layered approach, starting with creating a transparent, shame-free environment that encourages employees to admit to mistakes or share when something feels off. Unless employees feel comfortable flagging, suspicious emails or alerting IT when they’ve clicked a malicious link, security teams won’t know how or when they are being targeted. Essentially, they’ll have zero visibility into these threats.
The next step is relevant, ongoing training. Employees should be trained using the latest and most relevant examples, such as real-world phishing emails. For example, they should see real examples of those “too good to be true” scams before the holiday season and should know to look out for spear phishing emails late in the afternoon. Automation and machine learning tools can also be used to provide in-the-moment training tailored to specific employees based on their role, tenure and location.
But even with training, people will make mistakes like clicking a malicious link or sharing login credentials. Businesses need to take an advanced approach to email security to stop the threats that do get through. Relying on employees to identify and outwit threats 100% of the time will leave an organization vulnerable. The right security tools can provide an added layer of defense and support employees without disrupting their workflow.
About the Author
Josh Yavor is CISO at Tessian, leading information security, threat intelligence, and security research. Most recently he served as CISO for Cisco Secure and led cloud security for Duo Security, with earlier stops at Facebook, Oculus, and iSEC Partners. Josh is an aspiring woodworker and recovering middle school teacher. Learn more about Josh on Twitter and at Tessian.com.