Bulk phishing attacks don’t discriminate. Like spam emails, the strategy is quantity over quality. If the phish lands in enough inboxes, some people will fall for it, even if it’s not using sophisticated tactics. However, modern cybercriminals are increasingly turning to more targeted, sophisticated attacks designed to bypass traditional security and catch out specific individuals.
Data from our latest report ‘Fighting phishing: The IT leader’s view’ shows 84% of organizations were victims of phishing last year – a 15% increase from our 2021 ‘The real and rising risk of phishing’ report. So which individuals and teams are being targeted? And do they have an equal chance of falling for attacks?
Are senior or junior employees higher priority targets?
There’s an argument for targeting both senior and junior employees within a business. C-level and senior executives are more likely to be able to approve payment requests and their credentials will have access to more sensitive systems and data. On the other hand, junior employees and newer joiners might be less familiar with processes and chains of command, making them vulnerable to impersonation attacks.
In ‘Fighting Phishing: The IT leader’s view’, our surveyed IT leaders believed that it was senior employees who were higher priority targets. 66% thought C-level and senior management were more likely to be targeted, while 31% believed thought practitioners (specialized works with no management responsibility) and admin-level employees were more likely targets.
Who’s most likely to fall for phishing?
IT leaders thought senior employees were the most likely to be targeted by phishing. However, when it came to who they thought was more likely to fall for phishing, they took a different view. 49% believed practitioner and administrator-level employees were the most likely to fall for a phishing attack, with 46% thinking C-level and senior management.
Our findings also showed that 34% of surveyed organizations said a fraudulent invoice had been paid because of a whaling attack (phishing specifically targeted at C-level and senior executives). Anyone can be tricked by phishing – which is why it’s important to embed cybersecurity culture throughout an organization.
Which teams are most likely to be targeted?
IT leaders pinpointed finance (27%) and IT (23%) teams as the most likely departments to be targeted by phishing emails. It makes sense as cybercriminals want to target people with the authority to divulge financial information or authorize payments, and steal credentials from people with the access to sensitive IT systems.
Finance teams in particular are targets for business email compromise, where cybercriminals hack legitimate accounts to try and get fraudulent invoices paid. These teams need to be wary of urgent email requests from vendors or senior executives that sound unusual or try to break normal processes. Attackers can use social media to find out chains of command and new joiners for leverage in impersonation attempts, or vendor relationships for supply chain compromise.
The CISO of a UK company within the legal sector told us: “A phishing email containing fraudulent purchase orders was sent to our C-suite. The purchase orders were immediately passed on to the finance team to be paid and because they came from the board, they were unfortunately paid without being properly checked. We lost over £30,000 ($41,000).”
Remote workers = easier targets
Where people work is an important factor in who’s targeted. According to Microsoft’s New Future of Work Report, 80% of security professionals say they’ve seen increased security threats since the shift to remote working – and 62% said that phishing campaigns had increased more than any other type of threat. An August 2021 survey conducted by Palo Alto Networks also found that 83% of companies with relaxed bring-your-own-device (BYOD) policies had seen increased security issues.
This lines up with the attitudes of our surveyed IT leaders – 58% believe people are more vulnerable to phishing when using mobile devices, as smaller screens make it harder to detect display name spoofs and offer no way to hover over links.
Last year’s 2021 Data Loss Prevention Report highlighted that 73% of people use a mobile device to communicate via email outside of working hours. 46% percent of respondents felt under pressure to do so, and one-quarter (24%) usually doing something else at the same time. This is a perfect storm for cybercriminals, and organizations need to address mobile working as a source of risk.
Which types of organization are being targeted?
Cybercriminals can carry out their own research into organizations or they can choose from a wide range of open-source intelligence (OSINT) available for purchase on crime-as-a-service marketplaces. Factors for choosing a victim will include:
- What security defenses do they have in place?
- Is there a known entry point for an attack?
- Have they paid a ransom before?
When choosing an ideal victim, cybercriminals often also find out whether a target has cyber insurance. Out of our surveyed organizations, 72% have put cyber insurance in place as a preventative measure to mitigate phishing attacks. A common tactic is to set a ransom just below what an insurance firm will pay out, as hackers know their ransom will be covered under the terms of the insurance and is more likely to be paid.
Cybercriminals target businesses of all sizes. According to Ponemon Institute’s 2019 State of Cybersecurity Report, 66% of small to medium sized businesses experienced a cyber-attack during 2019. Our survey data shows a percentage increase of 26%, with 83% of small to medium sized businesses (under 1,000 employees) experiencing a breach.
In terms of industry, our survey data showed that financial services firms were particularly targeted by ransomware. 70% of our surveyed FS firms experienced a ransomware attack. That’s 16% more than in the legal industry and 19% more than general businesses.