Spear phishing and business email compromise (BEC) are big business these days, with BEC fraud costing US businesses $1.3bn in 2018. Such huge rewards have incentivized scammers to improve targeted phishing attacks and expand their campaigns.
Microsoft warns that advanced spear-phishing attacks have become so targeted that it refers to them internally as 'laser' phishing.
These attacks often involve impersonating the CEO of a company and can be convincing enough to fool IT executives into opening malware-laden attachments.
SEE: 10 tips for new cybersecurity pros (free PDF)
According to Microsoft's data, the percentage of inbound emails associated with phishing climbed from 0.31% in September 2018 to 0.62% in September 2019. Microsoft's analysis of 470 billion emails per month in 2018 found phishing messages increased 250%.
The key weapon at an attacker's disposal is open-source intelligence or OSINT.
"To illustrate how clever some of these campaigns are, imagine a busy recruiter who is responsible for filling several IT positions. The IT director is under a deadline and desperate for good candidates," explains Dianna Kelley, Microsoft's cybersecurity field chief technology officer.
"The recruiter posts the open roles on their social networks asking people to refer leads. A few days later they receive an email from a prospective candidate who describes the role in the email. The recruiter opens the attached resume and inadvertently infects their computer with malware. They have just been duped by a spear phisher."
Attackers use this research to identify senior leaders who are authorized to transfer large sums of money and typically select the CEO to impersonate, exploiting details from the executive's social-media posts to discover their travel schedules.
"People are inclined to respond quickly when the boss emails – especially if they say it's urgent," explains Kelley.
There is no simple answer to stopping phishing attacks, but Microsoft suggests technology and training can minimize the threat.
For example, train employees about the threat of phishing and offer tools that mimic real phishing attacks, including adding a sense of urgency to a request that breaks company policy and using language that evokes sympathy or fear.
Additionally, workers should be encouraged to discuss phishing emails with peers.
"Spear phishers typically don't send blast emails; however, they may select several people from the same department or with business relationships. Talking will alert other users to be on the lookout for phishy emails," she writes.
Finally, and probably the most important step, is to enable two-factor authentication, which Microsoft says does block 99.9% of automated attacks.