Some of the most colourful stories about companies victimized by email attacks involve the C-suite. After all, the people with the big bucks make for good headlines after it’s revealed they fell for a scam and unwittingly wired money to criminals.
However, a report this month from security vendor Proofpoint is a reminder that VIPs usually aren’t the most common targets.
Nearly 30 per cent of targeted email malware and phishing attacks were aimed at generic email addresses — like ‘firstname.lastname@example.org’ — the research showed. “These aliases are particularly attractive to attackers both because they can reach many targets within an organization and they are difficult to protect with multi-factor authentication,” Proofpoint explained in a blog.
In fact 87 per cent of the most attacked email addresses in Q4 2018 among Proofpoint customers weren’t listed in the previous quarter’s report, a sign that attackers can and will shift focus often.
Another interesting finding was that workers in research and development (R&D) and engineering were targeted more heavily than executives and managers, followed by sales and productions and operations functions. They represented 22 per cent of highly targeted malware and phishing attacks.
Among organizations targeted in email spoofing attacks, nearly 60 per cent saw fraud attempts that spoofed more than five identities. And nearly 80 per cent of organizations were targeted in attacks that tried to send spoofed email to six or more people.
The report also notes that so-called angler phishing attacks, which are attacks through customer support channels like email or social media, continue to be a threat. A common tactic is to create highly convincing phony customer service accounts on social media platforms like Twitter and Facebook and wait for customers to ask for help on a legitimate site. The fraudster than send a reply from the lookalike support account.
Often this happens on a weekend when company staff aren’t attentive. The customer is asked to log in for support, and in doing so gives away their credentials.
This is not to say that protecting members of the C-suite isn’t important. But CISOs should only focus on them.
Proofpoint says CISOs should think about the individual risk each employee represents, including how they’re targeted, what data they have access to, and whether they tend to fall prey to attacks. It also says regular training and simulated attacks can stop many attacks and help identify staff who are especially vulnerable.
Click here to read the full report. Registration required.