A new report from Barracuda found that most business email compromise (BEC) attacks are now targeting employees who aren’t in executive or financial roles.
“Many organizations focus their training and protection on who they perceive to be the most targeted individuals within the organization—usually executive and finance teams,” Barracuda’s researchers write. “However, 77% of BEC attacks targeted employees in other departments. Attackers look for an entry point and a weak link within your organization, and then they work their way to more valuable accounts. This highlights the need to secure and educate every employee to the same level.”
Barracuda also found that one in five BEC attacks target employees in sales roles.
“Due to the nature of their role, sales reps are used to getting external messages from senders they haven’t communicated with before,” the researchers write. “At the same time, they are all connected with payments and with other departments including finance. For hackers, these individuals could be a perfect entry point to get into an organization and launch other attacks.”
IT departments were another prime target, with each IT employee being targeted by an average of forty attacks.
“When we look at the number of phishing emails targeting IT teams, although they received only 5% of the total number of attacks, each employee was targeted by 40 email attacks, which is well above average,” the researchers write. “IT staff has access to business-critical applications, so compromising their accounts can be extremely valuable to hackers as it will give them access to organizations’ security and IT infrastructure. Cybercriminals tailor their attacks to their victims, so there were barely any BEC attacks, which usually look for quick monetary return, targeting IT teams. However, when it comes to attacks that include phishing URLs designed to compromise accounts, IT was one of the top targets.”
New-school security awareness training can enable employees throughout your organization to recognize and thwart social engineering attacks.
Barracuda has the full story.