Despite major improvements in how organizations can block millions of cyber attacks, email threats are able to break through defenses because hackers are continually morphing them to be more complex and sophisticated, Barracuda said in a new phishing research report.
It’s not just code that cyber attackers are modifying, it’s also tactics, Barracuda wrote in the report, entitled Spear Phishing: Top Threats and Trends Vol. 7. Cyber threat actors are moving from high volume assaults to more targeted maneuvers, such as from malware to social engineering and from lone operators to organized criminal enterprises laying down attacks that can begin with a single phishing email, according to the report.
Here are some key findings from the study:
- An average employee of a small business with less than 100 employees will experience 350% more social engineering attacks than an employee of a larger enterprise.
- Conversation hijacking grew almost 270% in 2021.
- 51% of social engineering attacks are phishing.
- Microsoft is the most impersonated brand, used in 57% of phishing attacks.
- 1 in 5 organizations had an account compromised in 2021.
- Cyber criminals compromised approximately 500,000 Microsoft 365 accounts in 2021.
- 1 in 3 malicious logins into compromised accounts came from Nigeria.
- Cyber criminals sent out 3 million messages from 12,000 compromised accounts.
Email-spawned threat types vary in complexity. Barracuda identified 13 variants, including:
Spam.
- Data exfiltration.
- Scamming.
- Domain impersonation.
- Extortion.
- Conversation hijacking.
- Account takeover.
- Malware.
- URL phishing.
- Spear phishing.
- Brand impersonation.
- Business email compromise.
- Lateral phishing.
Spam and malware are at the lower end of complexity, while account takeover and lateral phishing are more sophisticated attack types.
Best Practices to Block Attacks
To protect their businesses and users, organizations need to invest in technology to block attacks and in training their employees to act as the last line of defense, Barracuda said.
Chief among best practices are the following:
- Take advantage of artificial intelligence.
- Deploy account takeover protection.
- Monitor inbox rules and suspicious logins.
- Use multi-factor authentication.
- Implement DMARC authentication and reporting.
- Automate incident response.
- Train staffers to recognize and report attacks.
- Review internal policies.
- Maximize data loss prevention.
“Small businesses often have fewer resources and lack security expertise, which leaves them more vulnerable to spear-phishing attacks, and cyber criminals are taking advantage,” said Don MacLennan, Barracuda’s email protection engineering and product management senior vice president. “That’s why it’s important for businesses of all sizes not to overlook investing in security, both technology and user education. The damage caused by a breach or a compromised account can be even more costly.”