Gone are the days of mass spam emails designed to trick unaware internet users into infecting their devices with harmful software. Cybercriminals are increasingly using highly-personalised email attacks designed to trick specific targets into handing over sensitive information.

Cybercriminals will typically try to impersonate a reputable brand, spoof sender details so it appears to be from a legitimate sender, or claim to possess sensitive information belonging to the account owner.

Known as spear fishing, these malicious emails often go unnoticed by email security systems. The attacker use various techniques, such as sending emails through reputable services such as Gmail, or avoiding the use of attachments, to evade detection.

“Spear phishing attacks are designed to evade traditional email security solutions, and the threat is constantly evolving as attackers find new ways to avoid detection and trick users,” said Asaf Cidon, Vice President of Content Security at Barracuda Networks.

Previous studies have estimated the cost of spear phishing incidents at $1.6m on average, so how can businesses recognise and protect against these malicious emails?

How to spot a spear phishing attempt

Cloud-enabled security solution provider Barracuda recently published its Spear Phishing: Top Threats and Trends report. Researchers analysed more than 360,000 spear phishing attempts to identify the methods currently being used to dupe business professionals into handing over sensitive information.

How well do you really know your competitors?

Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.

View profiles in store

Company Profile – free sample

Thank you!

Your download email will arrive shortly

Not ready to buy yet? Download a free sample

We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form

By GlobalData

Submit

UK USA Afghanistan Åland Islands Albania Algeria American Samoa Andorra Angola Anguilla Antarctica Antigua and Barbuda Argentina Armenia Aruba Australia Austria Azerbaijan Bahamas Bahrain Bangladesh Barbados Belarus Belgium Belize Benin Bermuda Bhutan Bolivia Bonaire, Sint Eustatius and Saba Bosnia and Herzegovina Botswana Bouvet Island Brazil British Indian Ocean Territory Brunei Darussalam Bulgaria Burkina Faso Burundi Cambodia Cameroon Canada Cape Verde Cayman Islands Central African Republic Chad Chile China Christmas Island Cocos Islands Colombia Comoros Congo Democratic Republic of the Congo Cook Islands Costa Rica Côte d"Ivoire Croatia Cuba Curaçao Cyprus Czech Republic Denmark Djibouti Dominica Dominican Republic Ecuador Egypt El Salvador Equatorial Guinea Eritrea Estonia Ethiopia Falkland Islands Faroe Islands Fiji Finland France French Guiana French Polynesia French Southern Territories Gabon Gambia Georgia Germany Ghana Gibraltar Greece Greenland Grenada Guadeloupe Guam Guatemala Guernsey Guinea Guinea-Bissau Guyana Haiti Heard Island and McDonald Islands Holy See Honduras Hong Kong Hungary Iceland India Indonesia Iran Iraq Ireland Isle of Man Israel Italy Jamaica Japan Jersey Jordan Kazakhstan Kenya Kiribati North Korea South Korea Kuwait Kyrgyzstan Lao Latvia Lebanon Lesotho Liberia Libyan Arab Jamahiriya Liechtenstein Lithuania Luxembourg Macao Macedonia, The Former Yugoslav Republic of Madagascar Malawi Malaysia Maldives Mali Malta Marshall Islands Martinique Mauritania Mauritius Mayotte Mexico Micronesia Moldova Monaco Mongolia Montenegro Montserrat Morocco Mozambique Myanmar Namibia Nauru Nepal Netherlands New Caledonia New Zealand Nicaragua Niger Nigeria Niue Norfolk Island Northern Mariana Islands Norway Oman Pakistan Palau Palestinian Territory Panama Papua New Guinea Paraguay Peru Philippines Pitcairn Poland Portugal Puerto Rico Qatar Réunion Romania Russian Federation Rwanda Saint Helena, Ascension and Tristan da Cunha Saint Kitts and Nevis Saint Lucia Saint Pierre and Miquelon Saint Vincent and The Grenadines Samoa San Marino Sao Tome and Principe Saudi Arabia Senegal Serbia Seychelles Sierra Leone Singapore Slovakia Slovenia Solomon Islands Somalia South Africa South Georgia and The South Sandwich Islands Spain Sri Lanka Sudan Suriname Svalbard and Jan Mayen Swaziland Sweden Switzerland Syrian Arab Republic Taiwan Tajikistan Tanzania Thailand Timor-Leste Togo Tokelau Tonga Trinidad and Tobago Tunisia Turkey Turkmenistan Turks and Caicos Islands Tuvalu Uganda Ukraine United Arab Emirates US Minor Outlying Islands Uruguay Uzbekistan Vanuatu Venezuela Vietnam British Virgin Islands US Virgin Islands Wallis and Futuna Western Sahara Yemen Zambia Zimbabwe Kosovo

Industry * Academia & Education Aerospace, Defense & Security Agriculture Asset Management Automotive Banking & Payments Chemicals Construction Consumer Foodservice Government, trade bodies and NGOs Health & Fitness Hospitals & Healthcare HR, Staffing & Recruitment Insurance Investment Banking Legal Services Management Consulting Marketing & Advertising Media & Publishing Medical Devices Mining Oil & Gas Packaging Pharmaceuticals Power & Utilities Private Equity Real Estate Retail Sport Technology Telecom Transportation & Logistics Travel, Tourism & Hospitality Venture Capital

Tick here to opt out of curated industry news, reports, and event updates from Verdict.

Submit and download

Visit our Privacy Policy for more information about our services, how we may use, process and share your personal data, including information of your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.

The company found that brand impersonation was by far the most common method used, with 83% of attacks launched attempting to impersonate commonly-used businesses and applications. By impersonating businesses that the target frequently engages with, they are less likely to be suspicious of an email received from that company.

Microsoft, who hold a 75% share of the computer operating system market, was the most commonly impersonated business. Microsoft was used in 32% of spear phishing attempts analysed, followed by smartphone manufacturer Apple with 21%.

Financial services and delivery companies were also frequently used. Chase, UPS, American Express, Bank of America and FedEx were all in the top 10. Close to 20% of all attacks involved the impersonation of a financial institution.

Possibly highlighting the sophistication of these email campaigns, cybercriminals appear to have refined their spear phishing attempts to target businesses. Emails sent peaked during mid-week between Tuesday and Thursday, but fell drastically over the weekends. Just 10% of the emails analysed were sent on a Saturday or Sunday.

Sextortion over business email compromise

Aside from impersonation businesses, cybercriminals are increasingly attempting to impersonate individuals within the target’s organisation. Known as business email compromise attacks, these personalised attempts typically involve asking executives or those in the finance department to facilitate payments.

Last year threat detection company Agari warned of a criminal organisation, named London Blue, in possession of a list containing the details of 50,000 top business professionals. The cybercriminal organisation was sending emails that appeared to be from the CEO to the company’s Chief Financial Officer.

While these attacks made up just 6% of those analysed by Barracuda, successful business email compromise attempts have reportedly cost businesses $12.5bn since 2013 according to the FBI.

Despite business email compromise proving to be lucrative method, employees are still twice as likely, if not more, to be targeted by sextortion attempts. Barracuda notes that the frequency of sextortion scams are often underreported as recipients fear embarrassment or exposure.

The cybercriminal will claim to have a compromising video recorded through the account owner’s webcam and will threaten to release it unless a ransom is paid.

While details vary, these emails typically follow the same script. Yet, Barracuda found that these attempts are becoming more sophisticated. Spoofing techniques are often used to give the impression that the email has been sent from the victim’s own email address.

Attackers have also started to include information that was exposed during previous data leaks, such as passwords, to give the impression that they have genuinely compromised the victim’s system.

Barracuda found that 54% of sextortion subject lines will typically contain some kind of security alert, such as “[email address] is under attack” or “cybercriminals know your password [password]”.

How to protect yourself against spear phishing campaigns

When you know what to look out for, detecting a spear phishing attempt becomes significantly easier. However, technology can also help to keep businesses from falling victim to these scams.

“Staying ahead of these types of attacks requires the right combination of technology and user training, so it’s critical to have a solution in place that detects and protects against spear-phishing attacks, including business email compromise, brand impersonation, and sextortion,” Cidon said.

To deal with particularly costly business email compromise threats, artificial intelligence technology can be used to analyse emails within an organisation and detect anomalies in communication. AI can also be used to detect when an account has been taken over by malicious actors before this can be used to cause damage to the organisation.

However, protection doesn’t have to be costly. Simple tools such as multi-factor authentication or simply training staff to spot and respond to email threats can offer a valuable line of defence against cybercriminals.

Sign up for our daily news round-up!

Give your business an edge with our leading industry insights.

Sign up