According to a recent article, the latest quarterly report released by a cybersecurity company analyses the employees and organisational departments that receive the highest number of targeted email attacks.
The report also identifies the techniques and tools used by the attackers.
Information also showed who was being attacked. With information on employees now becoming more widely and freely available, fraudsters can find multiple ways inside a work environment.
The report showed that attackers target people at all levels, around 60% of highly targeted malware and credential-phishing attacks are aimed at individual contributors and lower-level management.
Although upper management have accounted for 23.5% of the targeted attacks, they represent a smaller proportion of the total workforce.
Workers in operations and production functions, which make up the majority of the workforce, are the most exposed and represented 23% of highly targeted attacks.
Companies across all industries are targeted with email fraud.
Real estate firms were the most targeted for the second straight quarter, with an average of 67 fraudulent emails sent.
Other industries such as education, entertainment, and media companies saw triple-digit increases from a year ago.
Cyber attacks target people. The report confirmed that workers are tricked into opening an unsafe attachment or clicking on a dubious website. Most attacks used malicious URLs.
Email fraudsters have become ingenious, using a variety of methods to deceive the recipients into opening the email and acting on it.
A common technique is creating subject lines that reference a file or document. Cybercriminals succeed in using display-name spoofing, a method rampant in 90% of the targeted attacks.
Moreover, organisations are becoming more concerned with social media attacks and support fraud. ‘Angler phishing’ occurs when an attacker creates a social media account designed to imitate customer support accounts of trusted brands.
The attacker would sweep in using the phony customer-support account when a customer asks for help on social media before the real one has a chance to respond.
Under the pretext of assisting, the attacker will send a bogus login site to steal credentials or asks for credentials directly.
As people continue to blindly trust email communication and become victims to these threats, cybercriminals will continue to target them.
Businesses must consider a tailored defence strategy that caters to different targets within their organisation.
Organisations should follow these steps to prevent staff from falling prey to targeted attacks:
- Train users to spot and report malicious email
- Assume that users will eventually click some threats
- Build a robust email fraud defence
- Protect brand reputation and customers in channels not owned by the company
- Partner with a threat intelligence vendor
Cybersecurity remains a key concern for organisations. But managing the IT infrastructure is not enough as attacks that target the people in the organisation cannot be patched. Human nature is the ultimate vulnerability.
Protecting people begins from knowing who is being attacked and why they might be targeted, whether because of their roles or the data that they have access to.