Even as organisations are falling prey to general phishing attacks, hackers have upped the ante by increasing spear phishing campaigns, targeting specific individuals or groups.

According to the latest report by Barracuda Networks Inc., as many as 53 per cent of organisations studied in India were victims of spear phishing in 2022. A typical organisation received 5 highly personalised spear-phishing emails per day.                    

Spear-phishing attacks make up only 0.1 per cent of all e-mail-based attacks, but they are responsible for 66 per cent of all breaches.

The 2023 Spear-phishing Tends Report shows that on average 24 per cent had at least one email account compromised through account takeover. 

Unlike general phishing campaigns, where hackers send bulk mails to random people or organisations with malicious links or codes, spear phishing is about targeting a specific individual or a group.

Cybersecurity experts point out that sustained spear phishing attacks are more likely to succeed than the regular phishing attacks.

Also read: An AI-based solution promises to end phishing menace of SMSes

The study was based on a data set that comprises 50 billion emails across 3.5 million mailboxes, including nearly 30 million spear-phishing emails. The report also features survey findings from Barracuda-commissioned research. The survey, conducted by independent researcher, Vanson Bourne, questioned IT professionals from the frontline to the most senior roles at 150 Indian companies with 100 to 2,500 employees, across a range of industries. 

“The research revealed that cybercriminals continue to barrage organisations with targeted email attacks, and many companies are struggling to keep up. While spear-phishing attacks are low-volume, they are widespread and highly successful compared to other types of email attacks,” the report said.

Highly successful

About 63 per cent of Indian respondents that experienced a spear-phishing attack reported machines infected with malware or viruses; and 61 per cent reported having stolen login credentials or account takeover.

The cybersecurity solutions company said that threat detection and response remained a challenge. “On average, organisations take nearly 100 hours to identify, respond to, and remediate a post-deliver email threat — India organisations take 67 hours to detect the attack and 53 hours to respond and remediate after the attack is detected,” it said.

Also read: Job-themed emails have become prime target for cybercriminals: Trellix

Remote work challenge

It said the remote work is increasing risks. “Users at companies with more than a 50 per cent remote workforce report higher levels of suspicious emails — 12 per day on average, compared to 9 per day for those with less than a 50 per cent remote workforce,” it said.

“Having more remote workers slows detection and response. Companies with more than a 50 per cent remote workforce also reported that it takes longer to both detect and response to email security incidents — 55 hours to detect and 63 hours to response and mitigate, compared to an average of 36 hours and 51 hours respectively for organisations with fewer remote workers,” it said..

“Even though spear phishing is low volume, with its targeted and social engineering tactics, the technique leads to a disproportionate number of successful breaches, and the impact of just one successful attack can be devastating,” Fleming Shi, CTO of Barracuda, said.