Among organizations with 1,000 or more email users, the number jumped to 56% of respondents who said they believe their organization was targeted by a spearphishing attack. In comparison, among organizations with fewer than 1,000 email users, only 42% said that they believed their organization was targeted by a spearphishing email.
For the survey, Proofpoint polled 330 IT professionals at the Microsoft TechEd 2012 conference held in June.
“We are seeing proof that the targeted spearphishing attacks are proliferating against large organizations. This is something that we have seen in prior surveys and seems to be a real trend”, said David Knight, executive vice president of product management and product marketing at Proofpoint.
Knight said that larger organizations are being targeted because they are more visible and there is more information available about them on the internet. “Folks are using social media, public filings, and other kinds of information to find targets. The big companies have more employees and more information out there, so they are more known among foreign attackers.”
At the same time, spam and botnet volumes are down “quite substantially because the bad guys are changing their tactics to the lower-volume targeted attacks, which are more malicious and harder to defeat”, Knight told Infosecurity.
“The economic model has changed. It used to be a numbers game….Now people have shifted to other forms of monetization, so they are stealing sensitive information to commit banking and healthcare fraud and selling intellectual property to state actors”, he explained.
The survey found that more than one-third of respondents who reported experiencing a spearphishing attack in the past year believe that attack resulted in the compromise of user login credentials (e.g., usernames/passwords) or unauthorized access to corporate IT systems.
In addition, the survey indicated that outbound email (22%) was the greatest source of data loss risk, followed by online file sharing/collaboration tools (19%), lost or stolen mobile devices (18%), social media (17%), and texting (3%). A full 21% of respondents said they did not know which vector was the greatest source of data loss risk.
“It is relatively easy to send out an email with large amounts of information and it often goes untracked”, Knight said. He recommended that organizations put in place a security mail gateway that has data loss prevention technology.