Last year, 88% of organizations around the world experienced spear phishing attacks. But some industries and departments are more likely to be targeted than others.
In this article, we’ll identify examples of vulnerable employees, why they’re targeted, and what tactics hackers use to trick them into handing over sensitive information or initiating money transfers.
But, before we get started, it’s important you understand the difference between phishing and spear phishing.
There are three key differences between phishing and spear phishing.
For more information, including an infographic and real-world examples, read this article: Phishing vs. Spear Phishing: Differences and Defense Strategies.
When we talk about spear phishing attacks, we’re talking about a number of highly targeted attacks, including:
For more information about these different types of attacks, click the links above. If you’re already familiar with these terms, keep reading to find out the four “types” of employees who are most likely to be targeted by spear phishing attacks in 2020.
In companies with over 1,000 people, employees working in Technology are the most likely to fall for a social engineering scam. In fact, according to research, 1 out of every 2 employees will click on a suspicious link or email or obey a fraudulent request in this industry.
These aren’t great odds.
Of course, when we’re talking about spear phishing, it’s a targeted attack. That means hackers won’t just send out bulk emails to thousands of employees. Instead, they’ll select individuals who have access to sensitive systems and data and who they think are more likely to fall for a scam.
So, who has access to sensitive systems and data? While you may immediately think of the C-Suite or someone in HR, Executive Assistants are actually a prime target. It makes sense.
A hacker’s dream.
You may be asking yourself: Why identify this person specifically as a new-starter? Because new-starters are especially vulnerable to advanced impersonation attacks.
They aren’t yet familiar with policies or people. They probably haven’t had security training yet. That means they’ll be less likely to confidently distinguish between a normal email and a suspicious request. They’ll also be eager to show initiative and may be less likely to push back when asked to do something unusual like emailing across bank account details or changing passwords.
And, depending on the security culture in the company, they may be apprehensive to report the suspicious email, especially if they were tricked into following a link or downloading an attachment.
Spear phishing attacks and other highly targeted attacks require a bit of recon.
Hackers will research a particular organization or person, hoping to find information that will help them craft a believable email. This could be information about the organization’s structure (for example, who a particular employee reports to) or about a particular person (for example, who started most recently). All a hacker has to do is dig around on LinkedIn and other social media networks. They can also scour a company’s website or look at recent press releases.
While Technology is among the most vulnerable in companies with over 1,000 employees, Healthcare is among the most vulnerable across all company sizes and is also the industry most likely to experience a data loss incident involving employee misuse of access privileges.
Worse still, Healthcare has the highest costs associated with a data breaches – 65% higher than the average across all industries – and has for nine years running. Unfortunately, this doesn’t stop hackers from targeting employees like office administrators who – like executive assistants – have access to sensitive systems and data.
The data an office administrator working in Healthcare might handle includes:
And, because a lot of Healthcare professionals work in the public sector, they may have limited budgets for email security solutions that detect and prevent advanced inbound threats that use domain spoofing to trick targets.
Last year, the Manufacturing industry saw the most breaches from social attacks like spear phishing. They’re also among the most at risk companies with 1,000+ employees.
Organizations operating in this industry tend to be a part of long supply chains. That means there will be a lot of invoices being paid in and out.
Employees who deal with invoices are even more likely to be targeted now than they were a few months ago. Incidents involving payment and invoice fraud have increased by 112% since Q1 and Q2 2020. Attacks on finance employees have increased by 87% during the same period.
It’s also important to note that, unlike other industries like Healthcare, Financial Services, and Legal, the Manufacturing industry isn’t obligated to comply with strict compliance standards. That means many don’t have safeguards in place to protect against threats like spear phishing and business email compromise.
While we’ve outlined why mid-level employees are vulnerable to attacks, it’s important to note that high-ranking employees are high-risk, too.
Not only do they have access to sensitive information like client data and Intellectual Property, but, according to new research into the Psychology of Human Error, employees like Senior Partners may be among the most likely to click on a phishing email.
That’s because survey respondents cite distraction as the number one reason they’ve clicked on phishing emails. They also say they’re more likely to make mistakes when they’re stressed or tired. Senior partners tend to work across several projects, are generally time-poor, and are under tremendous pressure to perform.
But, senior partners are even more vulnerable than other C-level executives because, well, the larger Legal sector is vulnerable. In fact, it’s in the top three most targeted industries, with 80% of firms saying they’ve been targeted by a phishing attack.
While we go into more detail about defense strategies for spear phishing in this article, here are a few top tips to help you spot social engineering attacks like BEC, CEO Fraud, and more.
But, it’s important organizations don’t leave their people as the last line of defense. Technology is critical, especially as threats become more and more sophisticated and harder to detect.
But, spam filters, antivirus software, and other legacy security solutions just aren’t enough.
Tessian’s machine learning algorithms are trained on historical email data. This enables Tessian Defender to understand a company’s complex network of relationships and the context behind each email. From there, it can flag emails that look suspicious.