A new report from cybersecurity company Barracuda has found that IT staffers and CEOs proceed to face a barrage of phishing assaults throughout the year.
Barracuda analysts examined more than 12 million spear phishing and social engineering assaults impacting more than 3 million mailboxes at over 17,000 organizations between May 2020 and June 2021.
The “Spear Phishing: Top Threats and Trends Vol. 6 — Insights” report found that 43% of phishing assaults impersonate Microsoft and the average organization is targeted by over 700 social engineering assaults each year.
Nearly 80% of BEC assaults goal representatives outdoors of financial and executive roles, with the average CEO receiving 57 targeted phishing assaults each year and IT staffers getting an average of 40 targeted phishing assaults yearly.
Cryptocurrency-related assaults also grew 192% between October 2020 and April 2021, and the researchers noted that the number of assaults rose alongside the general price of various cryptocurrencies.
Almost 50% of all socially engineered threats the company saw over the past year were phishing impersonation assaults, and nearly all included a malicious URL.
“Although phishing emails are nothing new, hackers have initiated to deploy ingenious ways to avoid detection and deliver their malicious payloads to users’ inboxes. They shorten URLs, use numerous redirects, and host malicious hyperlinks on document sharing websites, all to avoid being blocked by email scanning technologies,” the report said.
“Phishing impersonation assaults have also been trending upwards. These assaults made up 46% of all social engineering assaults we detected in June 2020 and grew to 56% by the end of May 2021.”
Business email compromise assaults only made up 10% of the assaults Barracuda analysts saw but have cost companies in the education, healthcare, commercial, and travel sectors millions.
Hackers are also continuing to use many of the same tactics, including using brands for phishing impersonation assaults.
Microsoft, WeTransfer, and DHL are the top 3 brands used in impersonation assaults going back to 2019. Because of the company’s ubiquity, Microsoft was used in 43% of phishing assaults in the past 12 months.
Often cybercriminals will “send fake security alerts or account update information to get their victims to click on a phishing link.” The same goes for WeTransfer, which went from 9% of all phishing assaults to 18% by 2021.
The rest of the top ten impersonated brands includes Google, DocuSign, and Facebook.
Don MacLennan, senior vice president of Email Protection at Barracuda, said cybercriminals are now targeting representatives outdoors the finance and executive teams, looking for weak hyperlinks in organizations.
“Targeting lower level representatives offers them a way to get in the door and then work their way up to higher value targets,” MacLennan said. “That’s why it’s necessary to make sure you have protection and training for all representatives, not just focus on the ones you think are the most likely to be attacked.”
