Trend Micro has just published research confirming what we at PhishMe already knew – spear phishing is the top threat to enterprise security. Trend Micro’s report estimates that spear phishing accounts for 91% of targeted attacks, making it the most prevalent method of introducing APT to corporate and government networks. Industry recognition of the severity of the dangers posed by spear phishing is always a positive development, but merely acknowledging the problem doesn’t provide a solution.
Fortunately, many of the underlying issues Trend Micro identifies are problems PhishMe is already helping our customers address.
One interesting point made in the report was that of the users Trend Micro monitored, nearly half of the recipients of spear phishing emails had email addresses easily accessible through Google. While it may be impossible to keep your employees’ email addresses secret, it’s not impossible to identify the most vulnerable users in your enterprise and deliver training targeted to them. PhishMe recently added a feature that allows administrators to search the Internet to find which users’ email addresses are easily discovered through a search engine, and develop a distribution list of those users. This allows our customers to pinpoint which of their users is most likely to receive a phishing email, and provide targeted training as appropriate.
The report also found that 94% of all targeted emails use malicious attachments, in a variety of file formats. PhishMe’s functionality allows customers to send users emails with attachments in formats such as .XLS, .DOC, and .ZIP. Trend Micro notes that, “Spear-phishing email attachments are difficult to spot from normal document attachments passed on from user to user each day in a corporate environment,” but using PhishMe allows enterprises to train users to recognize a bogus attachment, as well as raise general awareness about the threat of malicious attachments.
The reality of these findings is that technology alone won’t prevent spear phishing; it’s up to an organization to ensure its employees are prepared when a phishing email arrives.