Average small business employee gets 3.5x as many social engineering attacks as those at larger firms

Other findings of the new Barracuda report indicate that Microsoft 365 attacks continue to grow exponentially, while most than half of brand impersonations now involve Microsoft

Today, cybersecurity firm Barracuda is releasing key findings about the ways spear-phishing attacks are evolving, the seventh report in a series on new trends in social engineering attacks. The latest report, Spear Phishing: Top Threats and Trends, looks at current trends in spear phishing, which businesses are most likely to be targeted, new tricks attackers are using, and the number of accounts that are being compromised successfully. It also examines best practices and technology that organizations should be using to defend against these types of attacks.

“What we saw this year was mainly an acceleration of existing trends, from 2020,” said Mike Flouton, VP, Product Management at Barracuda. “I didn’t think, however, that Microsoft could go higher than 41% of all brands impersonated, and now its 57%. That’s a significant jump year over year.”

The report found that the average employees at smaller businesses, which have less than 100 employees, will experience 350% more social engineering attacks than an employee of a larger enterprise. That doesn’t mean that smaller businesses are more targeted than large, simply that because they are smaller, an individual employee will see more attacks. Simply seeing more threats per person shouldn’t make a company more safe or less safe.

“The plus is that as long as you do a good job on awareness training, the employees should be better prepared, but I think any benefit of them seeing more threats is offset by the bad guys having more shots on goal,” Flouton said.

While small business is not being singled out by attackers, they are still receiving their fair share of attacks.

“There is an element of their being less well prepared for sure,” Flouton noted. “They tend to be resource constrained as well. But those aren’t the only things. Small business often have access to really valuable assets , even though larger businesses will have more targets. Like larger businesses, they will have an email gateway, which has become table stakes for all. Training has seen less adoption though, and requires a more concerted effort.”

Flouton stressed that there’s not a one size fits all approach for awareness training.

“All organizations will have some individuals who are higher risk than others, and who need more training or higher risk training,” he said. “We have seen a trend towards shorter and shorter content in this kind of training.”

Flouton also emphasized that the social engineering attacks of today are very different – and more dangerous – than those even in the very recent past. While Barracuda reported that phishing was only 51% of attacks, they categorize what .others classify as sub-categories of phishing like Business Email Compromise and conversation hijacking separately because they impersonate a specific individual, whereas they classify phishing as purely brand or service impersonation attacks. Scamming, at 37% is almost as large as phishing, while extortion is also tabulated separately

“We are seeing major changes in attacks as a whole,” he said. “One of the first defenses that the industry developed against spoofing was assessing the reputation of sites, and their age. “But that doesn’t work any more because attackers set up on reputable sites. You cant rely on where its coming from. Just because it comes from a reputable site like Microsoft doesn’t mean it’s not an attack.”

Conversation hijacking also saw a major increase of 270% in 2021.

“Conversation hijacking is still in the emerging threat category, but we are seeing a lot more of it” Flouton noted. “It’s related to an account takeover, and involves  monitoring a legitimate email conversation and hijack it by assuming the identity of the person whose account they hacked, while hiding the  legitimate account. “This allows them to use the established rapport of an account that’s already going on. It’s effective because people are less vigilant because they are already in a conversation that is underway.”

Approximately 500,000 Microsoft 365 accounts were also compromised in 2021, which reflects that exponential growth of that application.

“As more people are on a network, the value of it rises exponentially,” Flouton said. “The more people on Microsoft 365, the more leverage the bad guys get by hacking into an account there.”

Business email compromise is one of two types of attack which Flouton said could compete for the title of most dangerous of the bunch. It is now rivaled by account takeover, which Barracuda ranks as the most complex of the 13 email threat types,

“BEC is probably not quite as problematic as it used to be, but it is still extraordinarily dangerous,” he said. “The other bad one now is account takeover, which has grown significantly. It is much harder to execute as it involved a multi-step campaign, so they don’t happen as frequently but can be more devastating when they do take place.”