One cybersecurity firm’s data shows that this 0.1% of all email attacks intercepted can punch above its weight if remediated slowly.

Drawing from 30m spear-phishing emails and analysis of its own 2022 customer data set comprising 50bn emails across 3.5 million mailboxes, one cybersecurity firm also conducted a Dec 2022 survey of 1,350 frontline and senior IT professionals decision makers to gauge the impact of the pernicious threat.

Survey participants were from the U.S., Australia, India, and Europe. In Europe, respondents were from the United Kingdom, France, DACH (Germany, Austria, Switzerland), Benelux (Belgium, the Netherlands, Luxembourg), and the Nordics (Denmark, Finland, Norway, Sweden).

According to the analyses, most users of the cybersecurity firm’s services in 2022 had received around five highly-personalized spear-phishing emails per day, which took an average of two days to be detected. In the Asia-Pacific region and across the globe, 50% were victims of spear-phishing, and 24% had at least one email account compromised through account takeover. 

Of those affected by such attacks, 55% reported finding machines infected with malware or viruses, while 49% reported having sensitive data stolen. Furthermore, 48% reported having stolen login credentials; and 39% reported direct monetary losses resulting from the attacks.

However, spear-phishing attacks constituted only around 0.1% of all e-mail-based attacks. Yet, due to their higher-rate of victimization compared to other types of email attacks, such attacks were responsible for 66% of all breaches in the data.

Other findings

The analysis report showed other findings such as:

    • Most organizations in the firm’s protection ecosystem data took nearly 100 hours to identify, respond to and remediate spear-phishing threats, including 43 hours to detect an attack and 56 hours to respond and remediate it
    • The risk of spear-phishing attacks was increased for remote workforces, which tended to be targeted more than non-remote ones. Respondents and data involving firms with 50% remote workers receiving around 12 suspicious emails per day, compared with just nine, for firms with remote workers forming less than 50% of the total human resources.
    • Firms in the data with 50% remote workers were also typically slower to detect and respond to email security incidents, taking around 55 hours to detect and 63 hours to response and mitigate, compared to an average of 36 hours and 51 hours for firms having fewer remote workers.

According to Fleming Shi, CTO, Barracuda, which is the firm reporting the data analysis and survey findings: “Even though spear-phishing is low volume, with its targeted and social engineering tactics, the technique leads to a disproportionate number of successful breaches, and the impact of just one successful attack can be devastating.”

Shi suggested businesses should invest in account takeover protection solutions with AI capabilities, which “have far greater efficacy than rule-based detection mechanisms,” adding that improved efficacy in detection can “help stop spear-phishing with reduced response (required) during an attack.”