Share with your network!
In 13 years of protecting hundreds of millions of end users from email and mobile spam, Cloudmark has seen billions of malicious emails, giving the company an inside view of the threats that come from messaging environments. We’ve seen the rise of phishing emails and their effects. And more recently, in the past several years, we’ve observed the tremendous growth and success of spear phishing attacks which have had devastating consequences for businesses and governments.
Spear phishing has been associated with most of the largest cyberattacks in recent history including the widely publicized attacks on JPMorgan Chase & Co., eBay, Target, Anthem, Sony and various departments within the U.S. government.
Those are the basics, but we wanted to know more: How do businesses themselves perceive the threat from spear phishing? What kinds of impacts do spear phishing threats have on enterprises? And how are enterprises doing in the fight to combat spear phishing attacks?
To gain insights, we commissioned a study, conducted by the independent research firm Vanson Bourne, to ask 300 IT decision makers about the threat spear phishing represents from the enterprises’ perspective. Two hundred companies were based in the U.S.; the other 100 companies were from the U.K. The respondents were all IT professionals.
Loss of employee productivity ranked as spear phishing’s top impact. American businesses reported greater numbers of losses and bigger impacts than their U.K. counterparts.
Thirty-two percent of respondents reported that their organization has experienced financial losses due to spear phishing attacks.
Damage to company reputation (29 percent) and brand reputation (27 percent) ranked third and fourth on the impacts list, followed by loss of customers (25 percent) and loss of intellectual property (25 percent).
Most dramatically, one in six reported a decline in stock price from a cyberattack that began with spear phishing. U.S. companies reported slightly higher impacts from stock price decreases with one in five saying their company had suffered a decrease in stock price from spear phishing.
One question arises from looking at the data overall over the differences between U.S. and U.K. responses. In general, U.S. respondents were more likely to report greater impacts and severity of spear phishing threats, giving rise to the unanswered question of whether or not the US is more of a battleground for cyberattacks than the U.K.
The average financial cost of spear phishing attacks (in the last 12 months) among the 88 respondents who had suffered a spear phishing attack was $1.6 million. The vast majority were U.S. companies. For the U.S. businesses, the average cost of spear phishing attacks was $1.8 million.
Looking at the defenses companies use to prevent spear phishing attacks was an eye-opening exercise. Seventy-one percent said they had implemented a new solution specifically to combat spear phishing, but 21 percent had not.
Of the respondents who reported that their organization implemented technology solutions, most integrated additional anti-spam (84 percent) and anti-virus (81 percent) software solutions. Seventy-nine percent said they also trained staff on spear phishing awareness.
For those respondents who reported that their organization was using technology solutions to protect against spear phishing, 80 percent relied on secure email gateways, 64 percent had installed secure web gateways, and 63 percent used a URL filtering solution. Fifty-nine percent reported using data leakage protection and 39 percent used a file sandboxing solution.
What should be alarming about the most commonly used tools – anti-spam and anti-virus solutions – is that they were not designed specifically to target spear phishing emails. Secure web gateways and URL filtering were not either. The most popular technology solutions were designed to catch a wide variety of attacks and have not proven effective in detecting and deflecting spear phishing, since respondents report that 28 percent of attacks are getting through their defenses on average.
The human factor in socially engineered attacks – spear phishing – remains top of mind for businesses. IT professionals’ chief concern about spear phishing vulnerabilities is employees, with 44 percent listing workers as the company’s biggest spear phishing liability. (In the U.K., 54 percent worried about employees).
In addition, IT professionals worry about vendors and partners. Vendors’ IT systems were second on the list with 20 percent reporting it as their organization’s biggest spear phishing vulnerability. Partners’ IT systems were third with 19 percent.
Thirteen percent reported an inability to block emails as their biggest vulnerability. This may be due to the ineffectiveness of current technology solutions.
Hopes and fears about establishing a “human firewall” were also borne out by the survey results. On the education front, more than half of the respondents (56 percent) reported that their company offered staff training. U.S. companies are more likely to offer training than U.K. companies (64 percent versus 43 percent respectively).
A much higher percentage of respondents – 79 percent – said their organization tests employees’ responses to spear phishing attacks. The average frequency respondents’ organizations test their employees was 4 times per months. Seventeen percent of companies did not test employees.
The spear phishing awareness failure rates are sobering. For the 79 percent of companies who test employees on spear phishing, the average failure rate on spear phishing tests was 16 percent.
Diving deeper into the testing failure data, the most common employee testing scores were failure rates of 1-10 percent (39 percent) and 10-25 percent failure rates (39 percent). Fifteen percent of respondents whose companies tested reported failure rates of 25-50 percent on employee spear phishing tests.
The survey confirms what the security world has known for some time: that spear phishing is a highly effective way to gain access to a company’s or agency’s resources.
To learn more about the survey results from U.S. companies, see this video with Cloudmark's Senior Vice President of Engineering, Leon Rishniw.
Spear phishing is also a relatively easy form of attack to launch. Though it usually represents the con, later followed by the exploit, spear phishing has grown in popularity and success among attackers.
The damage done by successful spear phishing attacks in 2014 and 2015 is growing. The Carbanak attack, according to Kaspersky Lab, stole as much as $1 billion from as many as 100 banks. The JPMorgan Chase & Co. attack (which compromised 90+ million accounts and netted hundreds of millions of dollars to its attackers) was one of the biggest data breaches in history.
Spear phishing will continue to be a widely used tactic by cyber attackers who find socially engineered emails to be the easiest path of entry to many systems that are otherwise heavily guarded.
Though companies rely on anti-spam and anti-virus solutions, these tools were originally created to attack bulk spam and non-targeted malware payloads, not spear phishing. Employee education also does not provide a bulletproof vest against this pervasive method of attack.
New, more sophisticated technology solutions for spear phishing are needed – tools that take a comprehensive look at all the attributes of spear phishing emails. More focused approaches are needed to zero in on the suite of technology capabilities enterprises must have to combat the growing number of spear phishing attacks.
Click Here to View the Full Infographic
| Which of the below has your organization experienced as a result of spear phishing attacks? | |||
| Total | US | UK | |
| Loss of employee productivity | 41% | 43% | 36% |
| Financial losses | 32% | 40% | 14% |
| Loss of company reputation | 29% | 35% | 16% |
| Loss of brand reputation | 27% | 31% | 19% |
| Loss of customers | 25% | 32% | 11% |
| Loss of intellectual property | 25% | 29% | 16% |
| Decrease in stock price | 15% | 21% | 2% |
| Other (please specify) | 0% | 0% | 0% |
| My organization has not suffered any impact | 17% | 13% | 27% |
| I don't know | 2% | 1% | 5% |