Barracuda Networks, a global IT-security firm offering email, data, and network security firm with more than 150,000 worldwide customers, released a new report on how to prevent account takeover fraud (ATO). Entitled “Spear Phishing Top Threats and Trends” it presents original research about the three most common phishing attacks: brand impersonation, business email compromise, and blackmail.
“Attackers research their targets and craft carefully-designed messages, often impersonating a trusted colleague, website or business,” the company states in the introduction to the report. “Spear-phishing emails typically try to steal sensitive information, such as login credentials or financial information, which is then used to commit fraud, identity theft and other crimes.”
Account Takeover Fraud Stats
The data is the report is the result of research into 360,000 “spear-phishing” emails reviewed by Barracuda over three months. 83% of attacks are brand impersonation attacks, where a fraudster impersonates a well-known brand in an attempt to trick recipients into giving away sensitive information. Emails impersonating Microsoft (32%) and Apple (21%) made up the largest portion of attacks.
The second most prevalent is “blackmail” attacks (11%). These attacks threaten to release embarrassing content about the recipient to their email contacts if they do not pay a fee. Nearly 1 in 10 of these attacks threatened to release content of a sexual nature, a specific kind of attack known as “sextortion”.
“Business email compromise” (6%), where fraudsters impersonate an executive asking for personal information or requesting a cash transfer, is the least prevalent. However, it is also one of the most potent forms of eCommerce fraud. The estimated cost of these attacks to businesses is over $12.5 billion since 2013.
Tips to Prevent ATO Fraud
The report presents a number of tips and best practices to help merchants prevent account takeover fraud. These include two-factor Authentication (2FA), certain types of artificial intelligence (AI), and the need to remain proactive.
In addition, there is a list of the most common domains and email subject lines. The resource is designed to give merchants specific markers they can look out for to help identify and stop attacks.