Barracuda analysts examined more than 12 million spear phishing and social engineering attacks impacting more than 3 million mailboxes at over 17,000 organizations between May 2020 and June 2021. The “Spear Phishing: Top Threats and Trends Vol. 6 – Insights” report found that 43% of phishing attacks impersonate Microsoft and the average organization is targeted by over 700 social engineering attacks each year. Nearly 80% of BEC attacks target employees outside of financial and executive roles, with the average CEO receiving 57 targeted phishing attacks each year and IT staffers getting an average of 40 targeted phishing attacks annually. Cryptocurrency-related attacks also grew 192% between October 2020 and April 2021, and the researchers noted that the number of attacks rose alongside the general price of various cryptocurrencies. Almost 50% of all socially engineered threats the company saw over the past year were phishing impersonation attacks, and nearly all included a malicious URL. “Although phishing emails are nothing new, hackers have started to deploy ingenious ways to avoid detection and deliver their malicious payloads to users’ inboxes. They shorten URLs, use numerous redirects, and host malicious links on document sharing sites, all to avoid being blocked by email scanning technologies,” the report said. “Phishing impersonation attacks have also been trending upwards. These attacks made up 46% of all social engineering attacks we detected in June 2020 and grew to 56% by the end of May 2021.” Business email compromise attacks only made up 10% of the attacks Barracuda analysts saw but have cost companies in the education, healthcare, commercial, and travel sectors millions. Hackers are also continuing to use many of the same tactics, including using brands for phishing impersonation attacks. Microsoft, WeTransfer, and DHL are the top three brands used in impersonation attacks going back to 2019. Because of the company’s ubiquity, Microsoft was used in 43% of phishing attacks in the past 12 months. Often cybercriminals will “send fake security alerts or account update information to get their victims to click on a phishing link.” The same goes for WeTransfer, which went from 9% of all phishing attacks to 18% by 2021. The rest of the top ten impersonated brands includes Google, DocuSign, and Facebook. Don MacLennan, senior vice president of Email Protection at Barracuda, said cybercriminals are now targeting employees outside the finance and executive teams, looking for weak links in organizations. “Targeting lower level employees offers them a way to get in the door and then work their way up to higher value targets,” MacLennan said. “That’s why it’s important to make sure you have protection and training for all employees, not just focus on the ones you think are the most likely to be attacked.”