“The majority of enterprise email compromise attacks take place on weekdays and during business hours”
Spear-phishing attacks use a several tactics including impersonation, targeting, timing and social engineering to steal money or personally identifiable information from organizations like the university
According to one report, 91% of enterprise e-mail compromise attacks take place on weekdays with spear-phishers sending out their phishing emails targeting large enterprises during normal business hours to make them look more convincing.
The average spear-phishing attack targets less than 10 employees and 94.5% of all of spear-phishing attacks target less than 25 people.
Urgency is often employed to get a fast response from targeted victims and 85% of all e-mail compromise attacks are so-called “urgent” requests.
At the university we have observed that email compromise attacks have high click-through rates. (Defined as: the tendency of a employee to click on embedded links in phishing e-mails) 10% of all spear-phishing emails successfully trick a user into clicking and this percentage rises alarmingly to over 30% when an attack impersonates someone within an organization. (We have seen correlations to this trend during recent university spear-phishing attacks.)
In the USA in the past year alone, organizations lost an average of R3.96 million. During the past four years spear-phishing attacks cost USA businesses over R382 billion.
Spear-phishing attackers will always try to find new ways to make their spear-phishing e-mails more convincing. The end result will always be that it will become more costly and damaging to the university.
In October this year, Prof. Bruce Watson from the university’s Department of Information Science provided an interesting analysis of the state of cyber-security in South Africa, in a report “Secure software and legal systems needed for cyber safety“
While this article does address the vital need to continue to work on creating and providing better and more secure systems to block ongoing cyber-attacks on the university, I was disappointed that he downplayed the need for cyber-security awareness and sensitization among university personnel and students.
I have always maintained that taking the proper precautions and keeping the prime targets of cyber attacks, the ordinary personnel member, informed about the tactics cyber-criminals are using, and sensitizing and educating them will go a long way to help the university defend themselves more effectively against these highly targeted attacks.
To quote the Greek poet and philosopher, Aeschylus, “There are times when fear is good. It must keep its watchful place at the heart’s controls.”