Tessian’s mission is to secure the human layer by empowering people to do their best work, without security getting in their way.
Last year, 66% of organizations worldwide experienced spear phishing attacks. But some industries and departments are more likely to be targeted than others.
In this article, we’ll identify examples of vulnerable employees, why they’re targeted, and what tactics hackers use to trick them into handing over sensitive information or initiating money transfers.
We’ll be focusing on the following spear phishing methods.
For more information about these different types of attacks, click the links above. Unsure what exactly spear phishing is? Read this article: Phishing vs. Spear Phishing: Differences and Defense Strategies.
Let’s get started…
Our first spear phishing victim is John: An executive assistant working in tech.
Why tech? Because it’s a highly targeted sector. Employees in tech firms are the most likely to fall for a social engineering scam, according to one study looking at companies with over 1,000 people.
In fact, in medium-large tech companies, roughly half of employees will click on a malicious link or obey instructions in a phishing email.
Those aren’t good odds.
Within the tech industry, John is an executive assistant.
Why is John’s role relevant? Because spear phishing is a targeted attack—cybercriminals are looking for individuals with access to high-value data. And executive assistants have that in spades.
Think about it. Executive assistants:
In other words, John is in a near-perfect position of access and influence.
John’s also a new starter, which makes him particularly vulnerable. He isn’t familiar with company policies. He doesn’t know everyone. And, for what it’s worth, he hasn’t had security awareness training yet.
And psychologically, John’s “the new guy”—he’s keen to show initiative, avoid annoying his colleagues, and might be less likely to report his own mistakes.
So when John gets a CEO fraud email from someone claiming to be the boss, he’s less likely to question it.
Spear phishing attacks require meticulous research. But finding out about a company and its employees is easy.
LinkedIn accounts, company websites, annual reports—everything a cybercriminal needs to know about an organization’s structure and employees is laid out in public view.
Learn more about how bad actors leverage publicly available information in this research report: How to Hack a Human.
Our second spear phishing victim is Lucy: an office administrator working in healthcare.
Why healthcare? Two reasons:
And in healthcare, data breaches are particularly costly. In fact, for ten years running, healthcare has been the most expensive industry in which to experience a data breach, with the average single incident costing $7.13 million in 2020 (up 10% from 2019).
Why is a healthcare breach so costly? It’s partly down to the value of patient data. Think about the types of data accessible to an office administrator working in healthcare:
Healthcare firms are often poorly equipped to deal with cybersecurity incidents, as shown by the recent spate of ransomware attacks on hospitals. Therefore, they may lack software capable of identifying a spoofed email account.
Our third spear phishing victim is Adam: an accounts payable manager working in manufacturing.
Manufacturing is among the most targeted industries in social engineering incidents. And manufacturing firms a favorite for BEC attacks, because of the high volume of invoices being paid.
Manufacturing companies are often part of long supply chains, which can be targeted in account takeover attacks.
Because his job involves processing payments, Adam is particularly vulnerable to BEC—which frequently involves persuading accounts managers to pay fake invoices.
BEC remains a cybercrime “growth sector”. FBI data shows that in 2020, BEC scammers made over $1.8 billion—far more than via any other type of cybercrime.
Magda is our fourth spear phishing victim, and she’s a senior partner at a law firm.
So far, we’ve looked at mid-level employees. But remember that when conducting spear phishing attacks, cybercriminals aim to get the most “bang for their buck.” That’s why they frequently target high-ranking employees through “whaling” attacks.
Here’s why company executives can be the ultimate catch for a spear phishing attack:
About that last point: Tessian research suggests that more than half of employees felt they were more likely to make mistakes at work when they were stressed—and that high-ranking employees are among the most likely to fall for a phishing attack.
Plus, Magda works in a law firm—and we know the legal sector is heavily targeted by spear phishing.
As the U.K.’s National Cyber Security Centre reports:
“The cyber threat to the UK legal sector is significant and the number of reported incidents has grown substantially over the last few years.”
This increase in cybercrime is partly down to the rapid rate at which legal firms are adopting new technology.
Want to avoid ending up like our spear phishing victims? There are a few basics steps you can take:
But note that humans are often not capable of detecting the subtle differences between phishing emails and authentic emails. And spam filters, antivirus software, and other legacy security solutions just aren’t enough.
Tessian Defender uses machine learning, anomaly detection, behavioral analysis, and natural language processing to detect even the most discrete phishing signals. Here’s how it works.
Once it detects a threat, Tessian alerts employees that an email might be unsafe, explaining the threat in easy-to-understand language.