In 2023, 50% of organizations worldwide fell victim to spear phishing. To protect themselves against such attacks, most companies rely on security solutions like antimalware and email-filtering software, but few consider the core of the problem: the vast amounts of sensitive, personal employee data that is accessible online.
Because of this, spear phishing tactics have evolved and become so sophisticated, and often perfectly tailored to the target, that they are increasingly difficult to spot — which is what makes them so effective and dangerous.
Considering the role data plays in social engineering, it's time for organizations to incorporate new, proactive security measures that focus on protecting employee data privacy.
Phishing is the entry point of most successful cyberattacks
Phishing, responsible for more than 90% of successful cyberattacks, is an effective tactic. Successful attacks include ransomware, data breaches, account takeovers and business email compromises. Though spear phishing emails make up only 0.1% of emails sent, they are responsible for 66% of breaches.
Certain industries, like finance and health care, are particularly vulnerable to ransomware attacks as cybercriminals know they are more likely to pay quickly to recover critical systems or data. According to a 2024 Sophos study, 65% of financial services were hit by ransomware, up from 55% just two years prior.
In one high-profile case, Colonial Pipeline suffered a ransomware attack, allegedly due to phishing, that temporarily crippled the pipeline and led to gas shortages across the entire U.S. East Coast for six days, raising gasoline prices by as much as USD3 per gallon.
Employees are the easiest entry point for cybercriminals
There's a reason phishing, and not brute force, is responsible for most successful cyberattacks. It's because the human element is often the weakest link in cybersecurity.
According to Proofpoint's 2023 Human Factor report, cybercriminals target humans rather than systems to steal data, install malware or carry out other cyberattacks. In fact, the same report states 99% of cyberthreats require human action to execute.
Spear phishing exploits basic human psychology, using emotional triggers like urgency and authority. A criminal may pose as a company's CEO, for example, and manipulate an employee into bypassing security protocols. But this only works if the employee is convinced they are actually communicating with their CEO. This is exactly what happened to Leoni AG, a leading cable manufacturer, which lost 40 million euros to an impersonation scam and suffered a 2% drop in stock value as a result.
These kinds of attacks succeed because they are convincing, which is where data comes into play. If there is even a small level of doubt, people are unlikely to fall for social engineering attacks. If an email references an employee's role in the company or includes details about their family, on the other hand, the likelihood of the attack being successful goes up.
The role of data in spear phishing
It's no secret phishing emails are the point of entry for a huge portion of cyberattacks. What's less clear is how these emails manage to convince targets — often seasoned, C-level professionals. As with this August 2024 breach, simply said to originate from a phishing email "that appeared to be from a trusted source," the explanations tend to be light on the details.
Unfortunately, the information cybercriminals need to craft phishing attacks that look like they're from trusted sources is easier to get a hold of than many realize, particularly in the U.S. This is due, in large part, to the USD252.12 billion data broker industry. For some perspective on scale, Acxiom, just one of these data brokers, claims to hold as many as 3,000 data points per person. And there are hundreds more data brokers in the U.S. alone, making information easier for cybercriminals to obtain than ever before.
Employee credentials and corporate data are among the most desired data points for cybercriminals, especially when it involves a high-profile company with valuable assets. Even just email addresses, the most widely used and innocuous data point, can provide criminals what they need: a way in.
Despite how much risk sharing corporate emails exposes the company to, employees are often forced to use them, for example, to request access to online resources such as reports and statistics. This information then gets tied to the employee's identity and can end up in circulation on the internet on data broker sites or shared and traded between companies.
Once information ends up on data broker sites, criminals can easily get a hold of it. Some have even been caught intentionally selling information to scammers. Criminals may not even have to resort to such purchases, as search sites allow them to access rich resources, sometimes for free, sometimes for as little as a dollar.
Employees' sensitive information may also end up exposed in data breaches. Unfortunately, the more places their data lives online — hundreds of data broker databases, for example — the greater the chance of this happening. One data broker, National Public Data, recently suffered a massive data breach, allegedly exposing 2.9 billion records. It's worth noting the dataset appeared to contain no information on individuals who used data removal services.
Looking at the types of information data brokers often hold may also shed more light on how phishing attacks have become as sophisticated as they are. These databases include information such as personal and professional contact details, job titles, career history, work associates — even including how close they are based on the frequency and types of interactions — nicknames and professional aliases, behavioral data including what they're likely to click on online, inferred characteristics — including lifestyle, beliefs or likelihood to be charitable — and much more.
Once we realize this is the type of information being compiled and traded online, suddenly the super-effectiveness of phishing emails starts to make more sense.
Neglecting employee data privacy leaves organizations more susceptible to spear phishing
Organizations typically have three lines of defense against spear phishing.
Technical defense. This may include email filtering, multifactor authentication, firewalls, intrusion detection and prevention systems, and endpoint detection and response solutions.
Employee education. Security awareness training and phishing simulations teach organizations how to assess threats and determine vulnerabilities.
Incident response plans. Reporting mechanisms and response and containment protocols mitigate the damage caused in the event of an attack.
While these measures are undeniably crucial for the security of any organization, they aren't foolproof.
Filters designed to stop phishing and other dangerous messages, for example, only catch around 75% of incoming communication threats. This leaves a one in four chance of phishing messages making it through — not favorable odds when millions may be on the line. The better solution is more comprehensive.
The first line of defense against spear phishing should be prevention, ensuring fewer phishing attacks target an organization in the first place. Securing employee personal data is a crucial but often overlooked aspect of protecting against spear phishing. By reducing the availability of information criminals can use to tailor phishing attempts, organizations weaken their adversaries' most effective tool.
This preventative line of defense may include educating employees on how to maintain privacy on social media, providing privacy tools like VPNs, strictly enforcing protocols to protect internal forms of communication — like never using emails designated for internal communication anywhere else — and investing in data removal services to keep information out of circulation online.
Employee privacy as a best practice in spear phishing prevention
The bottom line is the current security measures most organizations have in place simply aren't effective enough on their own.
While it's impossible to completely remove employee data online, many organizations have seen the benefit in adding employee privacy efforts to their cybersecurity approaches.
By proactively reducing the digital footprint of employees' personal information, organizations lower the probability of successful spear phishing attempts.
Mariam Volobueva is a lead copywriter, Brenden Arakaki is a content manager, and Adam Choliński is an editor and senior copywriter at Incogni.
