Vigilance around a chief executive’s mailbox will be high, so target a manager and work up the chain of command …

In analyzing more than 12m spear phishing and social engineering attacks impacting more than three million mailboxes across 17,000 organizations in the US, EMEA and Asia-Pacific region between May 2020 and June 2021, a cybersecurity firm has concluded that the average organization will be targeted by over 700 social engineering attacks each year, and not just C-level executives are the prey.

Identifying the attack risks associated with different roles throughout a company ranging from CEOs and IT departments to employees in sales, the report by Barracuda states that when it came to business email compromise attacks (BEC), 77% of attacks in the analysis had targeted professionals outside of finance and executive roles: personnel working in roles like sales (19%), project management (10%), human resources (10%) and admin (9%) were also at risk.

 When it came to targeted spear phishing attacks, the report asserts that, while CEOs in the study attracted an average of 57 targeted attacks per year, IT professionals were similarly under fire, attracting an average of 40 targeted spear phishing attacks per year. Of the phishing attacks in the study, 43% impersonated Microsoft, followed by WeTransfer (18%), DHL (8%) and Google (8%) to lure unsuspecting victims.

Commented the firm’s Regional Director (Southeast Asia and Korea), James Wong: “Cybercriminals are getting sneakier about who they target with their attacks, often focusing on employees outside of the C-Suite, looking for a weak link in the organization. Targeting lower-level employees offers cybercriminals a way to get in the door and then work their way up to higher-value targets.”

Wong said it is important that organizations should implement the appropriate cybersecurity safeguards train all personnel for contingencies, rather than just focus on high-level personnel thought to be most likely to be attacked.