A new report from Barracuda Networks found that business email compromise (BEC) attacks have nearly doubled over the past year. These attacks made up 12% of all spear phishing attacks in 2020, compared to 7% in 2019. While these might seem like low numbers, it’s worth keeping in mind that BEC attacks are far more devastating and require much more effort than normal phishing attacks. Attackers can spend months performing reconnaissance and setting up infrastructure before executing the attack, and successful BEC scams often result in multimillion-dollar losses for the victims.
The researchers also found that 87% of spear phishing attacks took place during the week, while employees are at work. The spear phishing attacks that occurred on weekends often took advantage of the fact that employees were distracted and possibly isolated from their work environments.
Below are some more of Barracuda’s findings:
- “72% of COVID-19-related attacks are scamming. In comparison, 36% of overall attacks are scamming. Attackers prefer to use COVID-19 in their less targeted scamming attacks that focus on fake cures and donations.
- “13% of all spear-phishing attacks come from internally compromised accounts, so organizations need to invest in protecting their internal email traffic as much as they do in protecting from external senders.
- “71% of spear-phishing attacks include malicious URLs, but only 30% of BEC attacks included a link. Hackers using BEC want to establish trust with their victim and expect a reply to their email, and the lack of a URL makes it harder to detect the attack.”
Don MacLennan, Barracuda’s SVP of Engineering & Product Management, Email Protection, said organizations need to keep up with the changing threat landscape.
“Cybercriminals adapt very quickly when they find a new tactic or current event that they can exploit, as their response to the COVID-19 pandemic proved only too well,” MacLennan said. “Staying aware of the way spear phishing tactics are evolving will help organizations take the proper precautions to defend against these highly targeted attacks and avoid falling victim to scammers’ latest tricks.”
New-school security awareness training can give your organization an essential layer of defense by teaching your employees to recognize phishing attacks.