In 13 years of protecting hundreds of millions of end users from email and mobile spam, Cloudmark has seen billions of malicious emails, giving the company an inside view of the threats that come from messaging environments. We’ve seen the rise of phishing emails and their effects. And more recently, in the past several years, we’ve observed the tremendous growth and success of spear phishing attacks which have had devastating consequences for businesses and governments.
Spear phishing has been associated with most of the largest cyberattacks in recent history including the widely publicized attacks on JPMorgan Chase & Co., eBay, Target, Anthem, Sony and various departments within the U.S. government.
Those are the basics, but we wanted to know more: How do businesses themselves perceive the threat from spear phishing? What kinds of impacts do spear phishing threats have on enterprises? And how are enterprises doing in the fight to combat spear phishing attacks?
To gain insights, we commissioned a study, conducted by the independent research firm Vanson Bourne, to ask 300 IT decision makers about the threat spear phishing represents from the enterprises’ perspective. Two hundred companies were based in the U.S.; the other 100 companies were from the U.K. The respondents were all IT professionals.
According to the survey, released today, almost two thirds of IT decision makers interviewed say spear phishing ranks as either their organization’s top security concern (20 percent) or among their organization’s top three (42 percent) security concerns. It is clear that IT security professionals recognize that spear phishing is a primary avenue of risk and vulnerability facing organizations today.
The survey is the first to gather enterprise data specifically on the percentage of cyberattacks overall that spear phishing represents. Respondents said that in the past 12 months 84 percent reported that a spear phishing attack had penetrated their security defenses. These statistics point to a widespread inability to defend against these attacks.
In addition, the respondents said that spear phishing was responsible for 38 percent of cyberattacks on their enterprises.
These attacks are costly. Respondents reported that the average cost of an attack across all companies from a spear phishing attack was $1.6 million. One in six companies reported a decrease in stock price as the result of a spear phishing attack.
We wanted to know what kinds of attacks enterprises experienced most often from spear phishing. In the survey, respondents said the most common types of attacks to their business were malware (34 percent), authentication credentials discovery (30 percent) and corporate information requests (25 percent). Nine percent also reported wire fraud attacks.
Email remains the most popular spear phishing medium, respondents said, with 90 percent reporting spear phishing attacks against their company via email. Spear phishing on mobile platforms was the second most likely with 48 percent of respondents reporting this method. Third most likely was social networks, with 40 percent. Removable media was reported by respondents as being targeted by 30 percent of spear phishing attacks.
The IT professionals said cyber-attacks during the past 12 months targeted their prey strategically – most often pinpointing IT staff (44 percent) and finance staff (43 percent) as recipients. These two departments control access to data/infrastructure and money, both of which can be solid gold to the attackers.
Respondents also reported that spear phishing attacks were increasingly directed at C-Suite executives. (These types of attacks are sometimes called “whaling.”) Twenty-seven percent said CEOs were targeted; the number reporting CFO attacks was 17 percent. Respondents reported that their organization had suffered an average of 10 attacks involving the spoofing of a CEO for financial gain within the last 12 months.
We were interested in understanding how companies perceived and reported the serious negative consequences spear phishing incidents had on their businesses. More than 80 percent of respondents reported that spear phishing incidents have had a negative impact on their organization.
While news headlines often emphasize impacts to consumer data and privacy, respondents reported loss of employee productivity as the most common impact experienced by their organization (41 percent).
|Which of the below has your organization experienced as a result of spear phishing attacks?|
|Loss of employee productivity||41%||43%||36%|
|Loss of company reputation||29%||35%||16%|
|Loss of brand reputation||27%||31%||19%|
|Loss of customers||25%||32%||11%|
|Loss of intellectual property||25%||29%||16%|
|Decrease in stock price||15%||21%||2%|
|Other (please specify)||0%||0%||0%|
|My organization has not suffered any impact||17%||13%||27%|
|I don’t know||2%||1%||5%|
Loss of employee productivity ranked as spear phishing’s top impact. American businesses reported greater numbers of losses and bigger impacts than their U.K. counterparts.
Thirty-two percent of respondents reported that their organization has experienced financial losses due to spear phishing attacks.
Damage to company reputation (29 percent) and brand reputation (27 percent) ranked third and fourth on the impacts list, followed by loss of customers (25 percent) and loss of intellectual property (25 percent).
Most dramatically, one in six reported a decline in stock price from a cyberattack that began with spear phishing. U.S. companies reported slightly higher impacts from stock price decreases with one in five saying their company had suffered a decrease in stock price from spear phishing.
One question arises from looking at the data overall over the differences between U.S. and U.K. responses. In general, U.S. respondents were more likely to report greater impacts and severity of spear phishing threats, giving rise to the unanswered question of whether or not the US is more of a battleground for cyberattacks than the U.K.
The average financial cost of spear phishing attacks (in the last 12 months) among the 88 respondents who had suffered a spear phishing attack was $1.6 million. The vast majority were U.S. companies. For the U.S. businesses, the average cost of spear phishing attacks was $1.8 million.
Looking at the defenses companies use to prevent spear phishing attacks was an eye-opening exercise. Seventy-one percent said they had implemented a new solution specifically to combat spear phishing, but 21 percent had not.
Of the respondents who reported that their organization implemented technology solutions, most integrated additional anti-spam (84 percent) and anti-virus (81 percent) software solutions. Seventy-nine percent said they also trained staff on spear phishing awareness.
For those respondents who reported that their organization was using technology solutions to protect against spear phishing, 80 percent relied on secure email gateways, 64 percent had installed secure web gateways, and 63 percent used a URL filtering solution. Fifty-nine percent reported using data leakage protection and 39 percent used a file sandboxing solution.
What should be alarming about the most commonly used tools – anti-spam and anti-virus solutions – is that they were not designed specifically to target spear phishing emails. Secure web gateways and URL filtering were not either. The most popular technology solutions were designed to catch a wide variety of attacks and have not proven effective in detecting and deflecting spear phishing, since respondents report that 28 percent of attacks are getting through their defenses on average.
The human factor in socially engineered attacks – spear phishing – remains top of mind for businesses. IT professionals’ chief concern about spear phishing vulnerabilities is employees, with 44 percent listing workers as the company’s biggest spear phishing liability. (In the U.K., 54 percent worried about employees).
In addition, IT professionals worry about vendors and partners. Vendors’ IT systems were second on the list with 20 percent reporting it as their organization’s biggest spear phishing vulnerability. Partners’ IT systems were third with 19 percent.
Thirteen percent reported an inability to block emails as their biggest vulnerability. This may be due to the ineffectiveness of current technology solutions.
Hopes and fears about establishing a “human firewall” were also borne out by the survey results. On the education front, more than half of the respondents (56 percent) reported that their company offered staff training. U.S. companies are more likely to offer training than U.K. companies (64 percent versus 43 percent respectively).
A much higher percentage of respondents – 79 percent – said their organization tests employees’ responses to spear phishing attacks. The average frequency respondents’ organizations test their employees was 4 times per months. Seventeen percent of companies did not test employees.
The spear phishing awareness failure rates are sobering. For the 79 percent of companies who test employees on spear phishing, the average failure rate on spear phishing tests was 16 percent.
Diving deeper into the testing failure data, the most common employee testing scores were failure rates of 1-10 percent (39 percent) and 10-25 percent failure rates (39 percent). Fifteen percent of respondents whose companies tested reported failure rates of 25-50 percent on employee spear phishing tests.
The survey confirms what the security world has known for some time: that spear phishing is a highly effective way to gain access to a company’s or agency’s resources.
To learn more about the survey results from U.S. companies, see this video with Cloudmark’s Senior Vice President of Engineering, Leon Rishniw.
Spear phishing is also a relatively easy form of attack to launch. Though it usually represents the con, later followed by the exploit, spear phishing has grown in popularity and success among attackers.
The damage done by successful spear phishing attacks in 2014 and 2015 is growing. The Carbanak attack, according to Kaspersky Lab, stole as much as $1 billion from as many as 100 banks. The JPMorgan Chase & Co. attack (which compromised 90+ million accounts and netted hundreds of millions of dollars to its attackers) was one of the biggest data breaches in history.
Spear phishing will continue to be a widely used tactic by cyber attackers who find socially engineered emails to be the easiest path of entry to many systems that are otherwise heavily guarded.
Though companies rely on anti-spam and anti-virus solutions, these tools were originally created to attack bulk spam and non-targeted malware payloads, not spear phishing. Employee education also does not provide a bulletproof vest against this pervasive method of attack.
New, more sophisticated technology solutions for spear phishing are needed – tools that take a comprehensive look at all the attributes of spear phishing emails. More focused approaches are needed to zero in on the suite of technology capabilities enterprises must have to combat the growing number of spear phishing attacks.