Spear-phishing attacks are becoming more and more common, and they’re more sophisticated than ever. In 2019, 88 percent of companies around the world were targets of a spear-phishing attack. Some of the risks that nonprofits face from these attacks include significant damage to infrastructure due to malware or stolen credentials or loss of funds due to wire-transfer fraud. But the real danger is possible widespread loss of sensitive donor data.
So what does spear-phishing look like? The premise is simple - a customized attack on a specific employee. On the surface, it looks and sounds like phishing. But there are two key differences. While a phishing campaign casts a very wide net and is relatively easy to execute, spear-phishing campaigns are targeted at fewer people, and with more personalized correspondence, requiring more thought and time to successfully execute.
In addition to the tactics that we see employed in phishing, bad actors in these more customized attacks will use information from company websites, social media, and news articles to engineer an email that’s believable, even to someone who’s been through extensive security awareness training.
Oftentimes, cybercriminals impersonate someone in an authoritative position – for example, the CEO or a VP – because fundraisers are quick to lend a helping hand to someone in power, and tend to act with a greater sense of urgency. Malicious emails continue to easily circumvent spam filters and firewalls through increasingly sophisticated brand spoofing campaigns. Unaware or preoccupied users can be easily lured into downloading an attachment or clicking on a malicious email link to inadvertently provide attackers with access to sensitive organization or donor data.
Unfortunately, spam filters and antivirus software haven’t evolved in tandem with the fast-paced digital transformation, which is one reason why reports of phishing attacks have continued to increase year-on-year. 6.4 billion fake emails will be sent today alone. The tactics employed by traditional email solutions – namely identifying malicious payloads and flagging blacklisted domains – are simply ineffective against the advanced impersonation tactics used by cybercriminals in spear-phishing attacks.
When the attacker is pretending to be someone the target trusts, it becomes a human problem, not a filter or software problem. Hence why 85 percent of data breaches are caused by human error. Luckily, Gravyty has spent years using artificial intelligence (AI) to understand the human behaviors of development professionals. Through AI and other advanced technologies, Gravyty Guard protects against human layer security threats without getting in the way of people getting their jobs done.
The best thing you can do to understand human layer security threats and evaluate how your organization stacks up is to take a data security health assessment.
Is your donor data protected? Take our FREE 15-minute assessment and receive your own Data Security Health Score and find out if your organization is secure.