GreatHorn analyzed more than 56 million emails from 91,500 corporate mailboxes from March to November 2016. The data found that display name spoofs are the clear phishing weapon of choice for cybercriminals.
Attackers are increasingly relying on highly targeted, non-payload attacks that exploit trust and leverage pressure tactics to trick users into taking action that will put their organizations at risk. Of the more than 537,000 phishing threats GreatHorn detected in its research, 91 percent (490,557) contained characteristics of display name spoofs.
Display name spoofs impersonate a person familiar to a business user in order to fool the recipient into thinking that the message came from a trusted source. It’s an extremely effective tactic against a workforce deluged with incoming communications all day, every day. Direct spoofs were the second most popular attack type (8 percent), and domain lookalikes made up less than 1 percent of phishing attacks.
“Stopping spear phishing attacks isn’t as simple as pushing a button; the sheer volume of these attacks, coupled with the size of the attacks surface and security resource constraints, makes it impossible to mitigate risk solely via human intervention, no matter how much you try to train your end users,” said GreatHorn CEO Kevin O’Brien. “A true defense-in-depth strategy for protecting against these attacks requires unified visibility and control, coupled with risk-appropriate automation, across an organization’s entire communications infrastructure.”
Rroughly 1 percent of all emails to business users contained email that contained specific characteristics that were deemed “risky” – a figure may seem low until the volume of emails that workers send and receive is taken into consideration.
Enterprises reluctant to leverage automation
- Data shows that security and IT professionals are often indecisive in how they handle a phishing attempt that has been flagged, as 41 percent take no action and only 33 percent alert an admin.
- Of those organizations that did act on a flagged communication, 7 percent moved it to a folder, 6 percent added a label (G Suite) or category (Office 365), 2 percent moved to trash and 1 percent quarantined the message.
Email authentication frameworks are rarely fully used
- 80 percent of companies had minor authenticity issues, 10 percent had major authenticity issues and 15 percent had no email authentication at all. These last two statistics are troubling because, when combined with a robust data set that spans hundreds of millions of senders and messages, authenticity can be used as a major component of risk identification.
- Sender Policy Frameworks (SPF) are the most popular as 75 percent of enterprises have it enabled.
- DKIM (DomainKey Identified Mail) provides cryptographic proof that a messages was sent from a specific sender but is used by a little over half of respondents (53 percent).
- Finally, DMARC (Domain-based Message Authentication) check for alignment between the apparent sender of a message and its SPF and DKIM headers. Because of its added complexity, it’s only enabled in 21 percent of the enterprises that were analyzed. However, the value of correctly implementing it is clear, as the dataset shows that organizations with correct and complete authentication records receive less than a quarter (23%) of the threats that those without received.