Nearly every victim of a spear-phishing attack in the last 12 months saw impacts on their organization, including malware infections, stolen data, and reputational damage, according to Barracuda Networks.
Barracuda Networks research finds 24% of organizations studied had at least one email account compromised through account takeover.
The research shows that cybercriminals continue to barrage organizations with targeted email attacks, and many companies are struggling to keep up.
While spear-phishing attacks are low-volume, they are widespread and highly successful compared to other types of email attacks.
Spear phishing victims
50% of organizations analyzed were victims of spear phishing in 2022, and a typical organizations received 5 highly personalized spear-phishing emails per day.
Spear-phishing attacks make up only 0.1% of all e-mail based attacks, according to Barracuda data, but they are responsible for 66% of all breaches.
55% of respondents that experienced a spear-phishing attack reported machines infected with malware or viruses; 49% reported having sensitive data stolen; 48% reported having stolen login credentials; and 39% reported direct monetary loss.
On average, organizations take nearly 100 hours to identify, respond to, and remediate a post-deliver email threat — 43 hours to detect the attack and 56 hours to respond and remediate after the attack is detected.
Highly effective email attacks target remote workers
Users at companies with more than a 50% remote workforce report higher levels of suspicious emails — 12 per day on average, compared to 9 per day for those with less than a 50% remote workforce.
Companies with more than a 50% remote workforce also reported that it takes longer to both detect and response to email security incidents — 55 hours to detect and 63 hours to response and mitigate, compared to an average of 36 hours and 51 hours respectively for organizations with fewer remote workers.
“Even though spear phishing is low volume, with its targeted and social engineering tactics, the technique leads to a disproportionate number of successful breaches, and the impact of just one successful attack can be devastating,” said Fleming Shi, CTO, Barracuda.
“To help stay ahead of these highly effective email attacks, businesses must invest in account takeover protection solutions with artificial intelligence capabilities. Such tools will have far greater efficacy than rule-based detection mechanisms. Improved efficacy in detection will help stop spear-phishing with reduced response needed during an attack.