As part of Business Email Compromise attacks, spear phishing now plays a material role, with impersonation sitting firmly at the core of their social engineering tactics… in more ways than one.
The combination of spear phishing and impersonation is dangerous; it implies that the cyber criminals have done their homework and will be using details familiar (in some cases, personally familiar) to their victim to create the illusion of legitimacy.
According to new details in GreatHorn’s 2021 Business Email Compromise Report, these threat actors are finding success in mixing Business Email Compromise with spear phishing. Of all the BEC attacks analyzed in this report:
- 49% spoofed the sender’s display name
- 18% used a look-alike domain
- 10% used an external or vendor compromised email account
- 4% used an internal compromised email account
But to add to the legitimacy, details familiar to the recipient were used, including:
- Company name (68% of attacks)
- Recipient name (66%)
- Boss/Manager name (53%)
- Customer or client name (49%)
It’s evident that cyber criminals are spending a lot of time identifying the right potential victim and attempting to learn as much about them, their position in the organization, and who they do business with, in order to commit fraud at the end of the BEC attack.
The only way to survive these kinds of attacks is to education users with Security Awareness Training about the need to scrutinize sender email addresses in detail, as well as the financial request being made anytime it is unexpected. Otherwise, the bad actors are going to eventually pull one over on your staff that will cost the organization dearly.