When a junior research scientist inadvertently accessed a malicious PDF document disguised as research project information, a pharma company was subjected to a spear phishing attempt. Nothing seemed unusual, so he sent it to the top scientist. When another person opened the document, malware was executed, syphoning sensitive and important information to their competitors in Indore. The entire amount of damage was Rs 7.6 crores.

In another case, a renowned Pune-based company was defrauded of Rs 1.95 crore by cyber hackers in 2021 using mail phishing to acquire machinery from a Chinese company. The cyberattackers sought an advance payment to another bank account with identical information. The funds were transferred to a bank account in London rather than their Chinese vendor company.

Similarly, a Khar-based chemicals trading firm was recently defrauded of Rs 10 lakh after the accused reportedly spoofing the email ID of one of the company’s raw material suppliers and duping their accounts department into paying the cash.

These are just a few of the spear phishing incidents that have occurred in Indian corporations. And it’s on increase.

Industry watchdogs Barracuda Networks discovered approximately 30,000,000 spear-phishing emails in a study of 50 billion emails from 3.5 million mailboxes.

That implies 50 per cent of organisations studied were victims of spear-phishing in 2022 — and 24 per cent had at least one email account compromised through account takeover. While these emails account for less than 0.1 per cent of all emails sent, they have a significant impact on organisations when assaults are successful.

Let’s take a look how.

What is spear phishing

Spear phishing is a highly personalised form of email attack.

Hackers research on their targets and meticulously create messages, frequently impersonating a trusted colleague, website, or business. Typically, spear-phishing emails attempt to obtain sensitive information such as login passwords or financial information, which is subsequently used to perpetrate fraud, identity theft, and other crimes.

To maximise the likelihood of success, cybercriminals use social-engineering strategies such as urgency, brevity, and pressure in their spear-phishing attempts.

Cybercriminals never stop

Barracuda’s research shows that the average organisation gets roughly 5 spear phishing emails per day — that’s more than 1,700 each year.

Moreover, in 2022, nearly one in four organisations (24 per cent) had at least one email account compromised through account takeover. Hackers sent an average of 370 malicious emails from each compromised account.

Perhaps the worst news of all is that the analysis shows that spear phishing emails have an average click-through rate of 11 per cent. Considering just one successful attack can be devastating, it’s critical to have multilayered protection against these email-based threats.

To tell you more, there are five main types of spear phishing attacks.

SMEs are frequent target

According to Barracuda’s past research, employees of smaller companies with less than 100 employees are often targeted. With a high average number of social engineering attacks per mailbox.

One of the reasons being that SMEs don’t often have the tool necessary to identify and block sophisticated attacks or even identify and respond to such attacks.

The study claims, organisations using Gmail are more likely to report falling victim to spear-phishing attacks than those using Microsoft 365 — 57 per cent of firms using Gmail reported a successful spear-phishing attack, compared to 41 per cent for those using Microsoft.

India got 15 suspicious mails every day

India has the highest number of suspicious emails per day and 53 per cent of Indian firms were victims of spear-phishing in 2022. On average, 24 per cent had at least one email account compromised through account takeover, according to IT security firm research.

About 63 per cent of Indian respondents that experienced a spear-phishing attack reported machines infected with malware or viruses, 61 per cent reported having stolen login credentials or account takeover and 56 per cent reported having sensitive data stolen, the report noted.

Brunt of spear phishing on companies

Almost every victim of a spear-phishing attack in the last 12 months had consequences, such as malware infections, stolen data, and reputational damage. While direct monetary loss is one of the outcomes, any of the other effects of an assault could result in some financial damage for an organisation.

Organisations with and without cyber insurance saw infected PCs because of spear phishing assaults. However, the latter sees more infected machines.

Firms with cyber insurance were more likely to experience other effects, including stolen information, stolen credentials, and direct monetary losses. The difference could be that only companies with sensitive information to steal would cite that as an impact. It’s also possible that companies aren’t aware of these problems and aren’t looking for impacts, like the loss of sensitive information or stolen credentials.

Costs of spear phishing attacks

Organisations hit with a spear-phishing attack were more likely to say the costs associated with an email security breach had increased dramatically in the last year — 28 per cent versus 15 per cent of those who hadn’t been victims of spear-phishing.

These organisations are also more likely to have higher overall recovery and impact costs for the most expensive attack they suffer — an average of $1.1 million compared to $760,882 for those who were the victims of other types of email-based attacks.

Threat detection & response challenges

No security is effective 100 per cent of the time. When a threat gets through, security teams need to act fast to identify and respond before it spreads and causes extensive damage. Faster detection and response times lower the risk of a security breach.

However, on average, organisations take nearly 100 hours to identify, respond to, and remediate a post-delivery email threat.

For 1 in 5 organisations (22 per cent), it takes longer than 24 hours to identify an email attack.

This long period gives users ample time and opportunity to click on a malicious link or respond to an email. When that happens, cyber criminals hack the system and get inside the network to compromise accounts.

The study suggests that lack of automation is a top obstacle.

Larger organisations cite lack of automation as the most likely obstacle preventing a rapid response to an incident — 41 per cent for organisations with more than 250 employees, compared to 28 per cent for organisations with 100–249 staff.

Smaller companies cite additional reasons almost equally, including the lack of predictability (29 per cent), knowledge among staff (32 per cent), and proper security tools (32 per cent).

Smaller companies appear to be still in the process of adopting appropriate tools and appear to have difficulty hiring and retaining knowledgeable staff. Once organisations have the right people, processes, and technology in place, they can take advantage of accelerators available to expedite response work, including automation.

On the contrary, for companies who invested in the automation and security training has decreased the response times for companies.

This infographic shows, Australia has the lowest adoption rates (24 per cent) of computer-based security awareness training. That’s one of the reasons for its longest response times. Australia takes 175 hours on average to uncover and respond to post-delivery threats.

In the United States, however, 36 per cent of organisations utilise automated incident response, and 45 per cent use computer-based security awareness training. They also report faster average response times, which means they use fewer IT resources, and those resources can be focused on other tasks.

Having more remote workers slows detection & response.

Companies with more than a 50 per cent remote workforce also reported that it takes longer to both detect and response to email security incidents — 55 hours to detect and 63 hours to response and mitigate, compared to an average of 36 hours and 51 hours respectively for organisations with fewer remote workers.

Detection, response, and remediation times are shorter on average for larger organisations, which typically have more resources available and can respond more quickly. While the larger size has the potential to make the company susceptible to more threats, a larger team is likely available to help with efforts to detect, respond to, and remediate any impacts from attacks.

Overall, the research revealed that cybercriminals continue to barrage organisations with targeted email attacks, and many companies are struggling to keep up.

While spear-phishing attacks are low-volume, they are widespread and highly successful compared to other types of email attacks.