In the world of social engineering, spear phishing is like phishing’s smarter, nastier older brother. Our recently released 2018 State of the Phish™ Report compiles data from a number of different sources, including more than 10,000 responses from surveys sent to our database of infosec professionals. Unlike in past years, this year’s surveys were sent quarterly, which gave us more insight into the issues organizations are dealing with on a regular basis — including spear phishing attacks.
We did see some good news with regard to these targeted social engineering emails: Just 53% of survey respondents said their organizations experienced spear phishing in 2017, a 13% decrease from 2016. However, as you’ll note in the chart below, it’s clear that affected organizations are dealing with this threat on a regular basis.
Source: Quarterly surveys of infosec professionals for the 2018 State of the Phish Report
Though most respondents said they deal with between 1 and 5 attacks per quarter, more than 20% put the number between 6 and 15, and 8% of infosec professionals indicated they face more than 26 spear phishing attacks per quarter. The implications of this are very serious, given the sophisticated nature of these social engineering scams and the fact that some forms of these attacks — like business email compromise (BEC) — intend to inflict irreversible monetary damage on organizations.
Infosec teams that are regularly dealing with spear phishing attacks must actively raise awareness of the risks associated with these types of emails, and better manage these risks by educating employees to identify the hallmarks of not just "common" phishing attacks but also those of more personalized and sophisticated messages. Infrequent, passive training (in the form of PowerPoint presentations and/or auto-run videos) will not prepare end users to counter frequent, persuasive spear phishing attacks. To change behaviors, you need to deliver an ongoing security awareness training program that is designed to build a culture of security and elevate cybersecurity to a daily pursuit for all end users.