Google, in association with the University of California, San Diego, has released research which analyses spearphishing attacks against gmail accounts from 2011-2014.
The researchers found that the success of a spearphishing attacks ranged from a low of 3% to a high of 45%. The researchers determined that the greater the effort put into the targeting of the message, the higher the probability of a successful attack.
The researchers made this observation regarding financial scam attacks:
Thus, despite the appearance of simplicity, in reality, the scam emails are well-formed and thought-out in a way to maximize efficiency by preying on known human physiological
[sic] [recte psychological] principles.They also noted:
Targeted attacks include industrial espionage and state-sponsored break-ins. In our experience, these attacks are carried out by highly sophisticated parties who have the resources to extensive profile targets and launch tailored attacks.
The attackers target the people! And the better the message is crafted to the sensibilities of the target, the more likely the success of the attack. While many call this “social engineering,” at Iconix we prefer the old-fashioned term “deception” – for “deception” makes it clear that this is not a computer engineering problem, this is a problem of people deceiving people. The attackers are not using IT engineering tools, but are engaging operations that are “well-formed and thought-out in a way to maximize efficiency by preying on known human physiological principles.”
The attackers use deception. The defenders need to fight deception. This is the purpose of Truemark and SP Guard from Iconix.