Phishing Attacks: Which Departments Are Most at Risk?

Phishing attacks were among the most common attack vectors last year, according to Verizon’s 2017 Data Breach Investigations Report, and such attacks do not appear to be slowing down. While businesses may be shoring up protective efforts and educating employees about telltale signs of a phishing attack, attackers and social engineers are implementing more sophisticated methods for entry—and are looking beyond the obvious targets within an organization. In this eWEEK slide show, Asaf Cidon, vice president of Content Security Services at Barracuda Networks, shares insight into how attackers target different business units within an organization and which employees are most at risk.

CEOs and CFOs are attractive targets, primarily because of their level of access to sensitive information and ability to bypass traditional security measures to grant access to sensitive information. Such attacks, known as “whaling” when targeting senior executives, usually come in the form of a legal subpoena or customer complaint and require “fast action” to resolve a serious issue. Whaling attacks are among the most lucrative for attackers, so C-level executives face great risk daily.

It’s no surprise that finance departments are prime targets for phishing attacks. Malicious actors target finance departments because they are the gatekeepers of funds. The attackers pose as a senior executive or other employee to request an urgent wire transfer. Through social engineering and the implementation of techniques such as typosquatting, attackers can easily fool finance departments into believing the requests are legitimate and require immediate response. Typosquatting, or “cybersquatting,” is the practice of registering and claiming rights over internet domain names that are not for the taking.

Whether in tax season or not, HR employees constantly face the threat of W-2 phishing attacks. W-2 forms are required for each employee and contain a plethora of personal information, including compensation, legal name, Social Security number and home address. They are incredibly attractive targets for attackers, who could use the findings to steal the identity of another person or use the data as “research” for more targeted attacks in the future.

Among their duties, in-house lawyers are responsible for facilitating corporate acquisitions. They have access to monetary and legal documentation that is highly confidential. Furthermore, access to potentially high-profile case information not only puts the lawyers at risk personally but also the parties involved with certain cases.

Administrative assistants handle everything from scheduling to facilitating important business meetings. They are regularly granted access to credentials and personal information of senior executives to streamline processes. Given their need to move swiftly and manage multiple tasks at once, admins are prime targets for phishers, who can enter a corporate environment quickly by spoofing an email and asking for credentials.

Public relations teams often receive embargoed access to sensitive or otherwise confidential information. Whether discussing upcoming acquisitions or technology announcements, the PR team is looped in early to develop a plan for disseminating the message. As such, phishers often target PR departments in hopes of uncovering trade secrets or information that might inform changes in the stock market.

In many organizations, IT and engineers have access to some of the most sensitive information in the company, including credentials, certificates, and access to source code and sensitive IP. Phishers often target this department to obtain proprietary information, gain access to the corporate network or share confidential information with competitors (for a fee). The IT and engineering departments typically have access to large spending budgets for their projects via corporate cards and have the ability to authorize wire transfers. Therefore, they are prime targets for spear phishing attacks.