Cisco research on targeted phishing attacks explains why email remains the primary attack vector for cyber criminals.

The research from Cisco points out, cybercriminal business models have shifted toward low-volume targeted attacks. The report, Email Attacks – This Time Its Personal, documents that email remains the primary attack vector, the annualized cybercrime business activity caused by mass, indiscriminate email attacks has declined by more than half. However, the business activity caused by highly-personalized targeted attacks is growing rapidly. The study examines attack trends and explores the impact of these campaigns. The findings in this study were based on research Cisco conducted with organizations worldwide across a broad range of industries. Some of the finding include, but are not limited to the following:

  • Fewer mass attacks are launched, as evidenced by the 80 percent reduction in overall spam volumes.
  • Cybercriminals are focusing on higher-value endeavors, including increased scams and malicious attacks, spearphishing attacks, and targeted attacks.
  • Cisco SIO estimates that the cybercriminal benefit resulting from traditional mass email-based attacks has declined more than 50 percent: from US$1.1 billion in June 2010 to $500 million in June 2011 on an annualized basis.
  • Profit from a spearphishing attack can be more than 10 times that of a mass attack.

The economics of a spearphishing attack can be more compelling than for a mass attack. Spearphishing attack campaigns are limited in volume but offer higher user open and click-through rates. With these constraints, cybercriminals are increasingly focusing on business users with access to corporate banking accounts, to make sure they’re seeing sufficient return per infection.

As the research points out, the volume of mass attacks has declined, but the the ability of cybercriminal to use targeted phishing campaigns has increased. Organizations have to bear the burden of not only the monetary loss but also the cost of remediation of infected hosts and the negative impact on their brand reputation. Business cannot ignore the risk from this threat vector.