Small businesses three times more likely to be targets for spearphishing

Spearphishing attacks continue to see an increase among small businesses around the world. The scam type of attack which often targets specific individuals or organizations has resulted in many small businesses not only having their data stolen but also having high financial losses.

According to Barracuda’s latest findings in its report, SpearPhishing: Top Threats and Trends Vol. 7, key findings on the latest social engineering tactics and the growing complexity of attacks, small businesses are three times more likely to be targeted than larger organizations.

The report examines current trends in spear-phishing, which businesses are most likely to be targeted, the new tricks attackers are using to sneak past victims’ defenses and the number of accounts that are being compromised successfully. It also tackles the best practices and technology that organizations should be using to defend against these types of attacks.

Interestingly, the report showed that the average employee of a small business with less than 100 employees will experience 350% more social engineering attacks than an employee of a larger enterprise. It also showed that conversation hijacking grew by 270% in 2021 with Microsoft being the most impersonated brand as it was used in 57% of phishing attacks.

In fact, the report showed that cyber criminals compromised approximately 500,000 Microsoft 365 accounts in 2021 and sent out three million messages from 12,000 compromised accounts. Put simply, one in five organizations had an account compromised in 2021.

Between January 2021 and December 2021, Barracuda researchers analyzed millions of emails across thousands of businesses. Most of the compromised accounts came from Nigeria. Hackers are taking advantage of the increasing popularity of Microsoft’s cloud-based services and remote working over the past two years.

Other brands that made it into the top 10 included WeTransfer, which was used in 17% of phishing attacks as well as DocuSign impersonations at 3%. Google, DHL, USPS, and LinkedIn accounts were also compromised that they provided hackers with a wealth of personal information that they can exploit in further attacks.

The report stated that cybercriminals will send fake security alerts or account update information to get their victims to click on the phishing link. The goal of these attacks is to steal login credentials to gain access to corporate networks. From there, hackers can launch other phishing attacks including ransomware.

For account takeovers, hackers target high-value accounts of CEOs and CFOs, which are almost twice as likely to be taken over compared to average employees. Once they have access, cybercriminals use these high-value accounts to gather intelligence or launch attacks within an organization. The report also showed that executive assistants are also now becoming a popular target as they often have access to executive accounts and calendars and usually can send messages out on behalf of executive teams

“Small businesses often have fewer resources and lack security expertise, which leaves them more vulnerable to spear-phishing attacks, and cybercriminals are taking advantage. That’s why it’s important for businesses of all sizes not to overlook investing in security, both technology, and user education. The damage caused by a breach or a compromised account can be even more costly,” said Mark Lukie, Systems Engineer Manager, Barracuda, Asia-Pacific.

While there are many solutions to deal with spearphishing, the reality is, employees need to be vigilant when receiving emails. They need to be sure to check emails and also not simply give out personal information. Businesses can also add in additional cybersecurity protection to boost their email security.

---

---

---