Last year, 66% of organizations worldwide experienced spear phishing attacks. But some industries and departments are more likely to be targeted than others.
This article identifies examples of vulnerable employees, what makes them targets, and what tactics hackers use to trick them into handing over sensitive information or initiating money transfers.
We'll be focusing on the following spear phishing methods.
- CEO Fraud
- Business Email Compromise (BEC)
- Email Spoofing
Unsure what exactly spear phishing is? Read this article: The Difference Between Phishing and Spear-Phishing.
Let's get started:
Cory: Executive Assistant (New Hire)
Our first spear-phishing victim is Cory: a newly hired executive assistant.
Why is Cory's role relevant? First, because spear-phishing is a targeted attack, cybercriminals look for individuals with access to high-value data. And executive assistants have access through the executive for which they work.
Think about it. Executive assistants:
- Have extensive access to financial data, employee data, and intellectual property
- Have access to executives' email accounts, and know their itinerary and travel arrangements
- Work autonomously and have decision-making capabilities
In other words, Cory is in a near-perfect position of access and influence.
Cory's also a new starter, which makes him particularly vulnerable. He isn't familiar with company policies, doesn't know everyone, And hasn't had security awareness training yet.
And psychologically, Cory's "the new guy": he's keen to show initiative, avoid annoying his colleagues, and might be less likely to report his own mistakes.
So when Cory gets a CEO fraud email from someone claiming to be the boss, he's less likely to question it.
How would a hacker know if a specific employee has recently joined a company?
Spear-phishing attacks require meticulous research. But finding out about a company and its employees is easy.
LinkedIn accounts, company websites, and annual reports provide everything a cybercriminal needs to know about an organization's structure and employees.
Lucy: Office Administrator, Healthcare
Our second spear-phishing victim is Lucy: an office administrator working in healthcare.
Why healthcare? Two reasons:
- First, according to a sector-by-sector study, the healthcare industry is the most vulnerable to social engineering attacks overall (without considering company size)
- Second, healthcare employees are most likely to be involved in privilege misuse incidents
And in healthcare, data breaches are exceptionally costly. In fact, for ten years running, healthcare has been the most expensive industry in which to experience a data breach, with the average single incident costing $7.13 million in 2020 (up 10% from 2019).
Why is a healthcare breach so costly? It's partly down to the value of patient data. Think about the types of data accessible to an office administrator working in healthcare:
- Health records
- Clinical trials
- Insurance information
- Credit card details
- Patient data
- Employee data
- Payroll information
Lucy is vulnerable to email spoofing attacks, where a phishing email appears to come from a trusted domain. According to the FBI, spoofing attacks have risen by 81% since 2018. In addition, healthcare firms are often poorly equipped to deal with cybersecurity incidents, as shown by the recent spate of ransomware attacks on hospitals.
Julian: Gift Processing Coordinator or Manager
Our third spear phishing victim is Julian: a gift processing coordinator or manager.
Because his job involves processing potentially significant philanthropic gifts, Julian is particularly vulnerable to BEC - which frequently involves persuading employees to provide private financial information.
BEC remains a cybercrime "growth sector." FBI data shows that in 2020, BEC scammers made over $1.8 billion - far more than via any other type of cybercrime.
Jim: VP of Development (or any C-Suite Executive)
Jim is our fourth spear-phishing victim, and he's the VP of Development at this hypothetical nonprofit (although the same risks apply to all executives at the organization).
So far, we've looked at mid-level employees. But remember that when conducting spear-phishing attacks, cybercriminals aim to get the most "bang for their buck." That's why they frequently target high-ranking employees through "whaling" attacks.
Here's why company executives can be the ultimate catch for a spear-phishing attack:
- They control large budgets
- They have power over many employees
- They're busy, often stressed, and can easily make mistakes
Research suggests that more than half of employees felt they were more likely to make mistakes at work when they were stressed—and that high-ranking employees are among the most likely to fall for a phishing attack.
How can employees detect spear phishing attacks?
Want to avoid ending up like our spear-phishing victims? There are a few basic steps you can take:
- Learn to spot the signs of a spear-phishing email
- Avoid email impersonation by checking for inconsistencies in senders' email addresses.
- Hover over links to see where they lead before clicking on them.
- Verify non-routine payment instructions over the phone.