Workers in R&D/Engineering are the most heavily targeted group of employees within organizations, a new Proofpoint report says, and lower-level employees are at a higher risk of email-borne cyber threats than higher-level management roles and executives.
Who is being attacked?
Proofpoint has gathered and analyzed a three-months worth (October-December 2018) of email attacks on Fortune Global 500 companies and has discovered that people at the bottom of the corporate ladder were more at risk of being targeted via email than those at the top.
When going by their function in the organization, R&D/Engineering employees are most likely to be targeted, followed by sales personnel and production and operations specialists.
“We collected the most targeted email addresses (determined by our Very Attacked Person score, which factors in the quantity, severity and sophistication of threats received) in each company,” the company explained the process that gave the results. “Then we matched the recipients’ titles and functions using social-media profiles, internet databases, public records, news reports and other sources.”
Another interesting finding is that among the most targeted malware and credential phishing attacks, nearly 30 percent targeted generic email aliases (e.g., firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, etc.)
One reason is surely because these addresses are easy to obtain: they are either noted on the company’s website or, if not, there is a good chance they exist and are checked, usually by two or more employees.
This last fact also makes them harder to protect, Proofpoint points out. “Multifactor authentication, for instance, doesn’t work well with email addresses shared among several colleagues.”
But the company was quick to point out that attackers are constantly shifting the focus of their attacks. “Someone who seems unappealing to attackers today can easily become a VAP [Very Attacked Person] tomorrow.”
The tactics used by attackers
Email spoofing has soared, Proofpoint discovered. Q4 2018 saw 944% more email spoofing attacks per company than in Q4 2017.
“All people-focused attacks have one thing in common: they rely on identity deception. In email attacks, identity deception usually involves some form of spoofing,” the company notes.
Whether it’s domain or display-name spoofing, or lookalike domain spoofing (aka typosquatting), the goal is to trick the recipient in trusting the message (and the sender) and opening the malicious attachment or clicking an unsafe link.
Email-borne threats aside, attackers are also trying to impersonate companys on social media, by using their name or likeness to propagate malicious URLs. Despite Twitter and Facebook’s best efforts to take them down, accounts suspected of being created for customer-support fraud (aka “angler phishing”) increased about 40% over the previous quarter (and 486% vs. the year-ago quarter).
“Cyber criminals create highly convincing customer service accounts and then wait for your customers to reach out to your brand with a help request. When the fraudster sees a customer contact your brand account, they spring into action and send a reply from the lookalike support account,” Proofpoint explains the tactic.
“The criminal assures your customer they’ll resolve the problem and directs them to a lookalike website. There, the customer is invited to log in. By doing so, the customer inadvertently hands account credentials and sensitive data to the criminal.”