Over 80 Percent of Spear Phishing Attacks Involve Brand Impersonation, Security Firm Says

Illustration for article titled Over 80 Percent of Spear Phishing Attacks Involve Brand Impersonation, Security Firm Says
Image: Pixabay

As phishing attacks become increasingly commonplace, it’s important to know what to look out for. But not all phishing attacks are the same, and some are far more sophisticated than others. Cybersecurity experts say spear phishing, in particular, is on the rise.


Traditional phishing scams are often numbers games, but spear phishing involves targeting specific individuals or groups. According to a March report on the practice from cybersecurity firm Barracuda Networks, these types of attacks are frequently researched in advance and intended to capture data like login credentials or other sensitive information. Analyzing 360,000 emails that involved spear phishing over a three-month period, the company’s researchers found that 83 percent of these attacks involve brand impersonation of companies users know and trust.

Brand impersonation attacks are especially crafty phishing schemes, according to the report. Emails might look like something you’d receive from a trusted institution such as a company platform or financial institution. According to the report, Apple and Microsoft lead the list for what Barracuda’s researchers said were the most frequently spoofed companies by attackers. And in some cases, it is difficult to distinguish whether the email is a phishing scam because the email originates from a trusted but already compromised account, or one that looks nearly identical to such a source. For example, one in five of these kinds of attacks involve impersonations of banks or other financial entities, the report said.

Outside of impersonation schemes, the company highlighted two other spear phishing techniques: business email compromise and blackmail. Blackmail involves a claim by attackers that they possess some kind of personal or compromising information or media of the victim that they claim they’ll reveal to the victim’s contacts unless they meet a demand. Blackmail phishing includes sextortion, the topic of a separate analysis from Barracuda released last month. According to that report, more than 30 percent of sextortion emails include subject lines with language about a password change in order to bait users into opening them.

The third category of spear phishing, business email compromise, is comparatively uncommon but no less dangerous. These scams generally involve attackers impersonating a high-ranking company figure to manipulate an unsuspecting colleague into sharing personal information or completing wire transfers.

According to Barracuda’s report, 70 percent of attacks it saw in the business email compromise category attempted to manipulate victims with language designed to “establish rapport or a sense of urgency,” including by using words in the subject line like “request,” “follow up,” “urgent” or “important,” and asking if the individual is at their desk. Asaf Cidon, VP for content security at Barracuda Networks, told ZDNet that this kind of social manipulation is “becoming the key ‘attack vector’ in cybersecurity attacks.”

If this all sounds worrisome, it should. But there are steps users can take to protect themselves against falling victim to similar attacks. First and foremost, the importance of multi-factor authentication cannot be understated. And as Gizmodo pointed out in a separate report on phishing scams, a password manager is always a good idea as well. Always be cognizant of any links or documents contained in emails and always, always make sure you know where and why you’re entering login credentials to avoid falling victim to bad actors.


[Barracuda via ZDNet]


Arai-the fly on the wall

First off, get a password manager and 2 Factor-Authenticate anywhere you can. At least use chrome password generator if you’re feeling particularly cheap. But not unless you’re certain that your google account is 99.99% secured and you’re OK with trusting your whole internet security with them.

Always hover over links in email and check its destination in the lower left corner of your browser before clicking. Don’t stop reading at apple(example).com but read until the very last extension if there’s still more after .com. That’s the actual destination to check whether it’s official site or not.

Avoid clicking links altogether and type in the official website (just google it in case you’re not sure) in browser to log in instead.

PS: on a side note, a question to the wider security experts out there: how should we use password manager(s) to secure all passwords BUT without putting all our eggs in a single basket? Just in case one company that we use got hack or fold?