Cybercriminals continue to barrage organizations with targeted spear-phishing attacks, and many companies are struggling to keep up. In fact, Barracuda market research finds that 50% of surveyed organizations were victims of spear phishing in 2022 — and 24% had at least one email account compromised through account takeover.
Barracuda looks at this and other key findings in the new report, 2023 spear-phishing trends. The report presents propriety spear-phishing data and analysis, drawing on a data set that comprises 50 billion emails across 3.5 million mailboxes, including nearly 30 million spear-phishing emails.
The report also features survey findings from Barracuda-commissioned research. The survey, conducted by independent researcher Vanson Bourne, questioned IT professionals from frontline to the most senior roles at 1,350 companies with 100 to 2,500 employees, across a range of industries in the U.S., EMEA and APAC countries.
Spear phishing is widespread
While spear-phishing attacks are low-volume, they are widespread and highly successful compared to other types of email attacks.
- 50% of organizations analyzed were victims of spear phishing in 2022, and a typical organization received 5 highly personalized spear-phishing emails per day.
- Spear-phishing attacks make up only 0.1% of all e-mail based attacks, according to Barracuda data, but they are responsible for 66% of all breaches.
Organizations are struggling
Organizations are dealing with a variety of impacts from successful spear-phishing attacks, and they are having trouble detecting attacks and responding quickly.
- 55% of respondents that experienced a spear-phishing attack reported machines infected with malware or viruses; 49% reported having sensitive data stolen; 48% reported having stolen login credentials; and 39% reported direct monetary loss.
- On average, organizations take nearly 100 hours to identify, respond to, and remediate a post-deliver email threat — 43 hours to detect the attack and 56 hours to respond and remediate after the attack is detected.
Remote work is creating security challenges
Remote work is also increasing risks and slowing detection and response times.
- Users at companies with more than a 50% remote workforce report higher levels of suspicious emails — 12 per day on average, compared to 9 per day for those with less than a 50% remote workforce.
- Companies with more than a 50% remote workforce also reported that it takes longer to both detect and response to email security incidents — 55 hours to detect and 63 hours to response and mitigate, compared to an average of 36 hours and 51 hours respectively for organizations with fewer remote workers.
Get your copy of 2023 spear-phishing trends today and see all the latest insights and key findings about spear phishing, the impact of these attacks, and the challenges of detection and response.