Calculating the Cost of Spear Phishing

Spear phishing attacks are on the increase and healthcare providers have had to increase spending considerably to deal with the threat and mitigate risk. A recent survey conducted by Cloudmark/Vanson Bourne has helped to quantify the current level of spending on anti-phishing precautions and has produced an estimate of the cost of spear phishing.

Spear Phishing: A growing problem for healthcare providers

The sending of mass spam emails has long been a tactic used by cybercriminals to get individuals to reveal their login credentials, often indirectly after being fooled into installing malware on their computers. The vast majority of these email campaigns have been poorly written and ill conceived. That said, they have still proved to be effective way of delivering malware, although spam filtering technology has improved considerably in recent years and many of these emails are now being blocked.

Cybercriminals have realized that more targeted phishing emails have a much better chance of not only getting past spam filters, but are also more likely to elicit the desired response. These spear phishing emails are tailored for specific individuals or groups within an organization. Oftentimes, targets are extensively researched prior to the emails being sent. These spear phishing emails can be incredibly effective.

Spear phishing has now grown into one of the biggest security threats that enterprises now have to face, and the cost of preventing spear phishing attacks has grown considerably in recent years.

The Cost of Spear Phishing: How Much is Prevention Costing U.S. Companies?

A recent survey conducted by Cloudmark and Vanson Bourne set out to examine IT professionals’ points of view about spear phishing and gather information about their experience of spear phishing attacks with a view to calculating the true cost of spear phishing.

300 IT decision makers from organizations employing more than 1,000 staff members were asked questions about their experiences of spear phishing, and were asked about the measures their companies had implemented to tackle the growing problem of targeted phishing emails.

While the majority of organizations had implemented controls to prevent phishing emails from being delivered, 28% of spear phishing emails were still being delivered to recipients’ inboxes on average. The survey indicated 84% of organizations have had a spear phishing email breach their security defenses in the past 12 months.

Those defenses mainly involved the implementation of anti-virus and anti-malware solutions, although 70% of respondents said they had a specific anti-phishing solution to prevent spear phishing emails from being delivered. Those defenses had cost enterprises an average of $319,327 over the past 12 months.

When taking lost productivity, financial losses, company and brand reputation damage, intellectual property loss, decreases in stock prices, and customer loss into account, the average total losses due to phishing attacks were estimated to be $1,644,119 per company.

Who Is Being Targeted with Spear Phishing Emails?

Phishing campaigns were often successful when the emails appeared to come from upper management. Respondents indicated they had suffered 10 attacks on average that had involved the spoofing of a CEO’s email address.

While account and billing department employees are being increasingly targeted by cybercriminals looking to fool users into making bank transfers to their accounts, the survey revealed that IT department staff were just as frequently targeted and sent spear phishing emails. Cybercriminals were after their account information due to the higher level of privileges they had. 44% of attacks were taking place on the IT department. The financial departments were targeted in 43% of attacks. The CEO was next in line, being the target of 27% of attacks.

Spear phishing prevention is not only about blocking the emails. Staff members must be trained how to identify a phishing email when it arrives, and their phishing email identification skills must be put to the test. The survey respondents indicated this was happening on a frequent basis, although only 3% of respondents claimed that all of their employees had passed the last phishing email test.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.