Hackers are an ever-present security concern. They’ve hacked the U.S. federal government and Fortune 500 companies, but they don’t turn up their noses at small and medium-sized businesses.


If you’ve turned on the news any time within the past few years, you probably have a solid understanding of just how serious this threat is to your business. What you might not be aware of is the specific threat spear-phishing poses.

Spear-phishing and traditional phishing accounts for 91% of all hacking attacks. Hackers send out emails to you and your employees that appear harmless. Someone in your company opens an email sent by a hacker, clicks a link to what looks like a legitimate website, and shares personal information — and opens the door to the hacker. Now the hacker has access to your confidential documents, financial records, and so much more.

Both traditional phishing and spear-phishing attacks can be devastating to your business, but what sets spear-phishing apart from its traditional counterpart is the targeted nature of a spear-phishing attack. While older phishing attacks attempted to break into your system through widespread spamming in the hopes at least one person will bite, spear-phishing hackers target specific people within your business. They take their time searching through social media to tailor an email that will be hard to resist opening. These more complicated and targeted emails increase the likelihood that one of your employees or even you will fall for it and let the hacker into your systems.

If your gut reaction is telling you that this won’t happen to your company, think again. In December 2014 there were nearly 50,000 successful attacks. These breaches cost businesses $453 million in lost revenue and repair costs. And December 2014 wasn’t a fluke. In fact, these attacks were actually down by 24% compared to the preceding month.

All these numbers boil down to one fact: it’s not a matter of if you will be hit with a spear-phishing attack, but when.

The problem isn’t just that your company will likely be hit with a spear-phishing attack. After all, the damage only comes after the email is opened. So what’s the likelihood that someone in your company is going to open one of these spear-phishing emails? The odds are not in your favor.

Studies have shown that 23% of phishing attack recipients open the hacker’s email. It only takes 10 emails to increase the likelihood of a security breach to 90%. Considering that spear-phishing is even more targeted than the traditional phishing attack that was studied, it is likely that these probabilities are even higher for a spear-phishing attack.

Once you are hit with a successful attack, the numbers only get bleaker. With any security breach, the key to mitigating damage and costs is speed. The only problem is that spear-phishing attacks hit fast and linger silently. Studies show that 50% of all opened attack emails are opened within the first hour. It’s unlikely you will notice a spear-phishing attack before it’s already opened the door to the hacker.

What’s worse is that you might not notice the attack for a long time. In 2013, it took companies an average of 229 days to notice that their networks had been compromised.

If you want to protect your company from the devastating threat of spear-phishing, prevention and awareness are key. Talk to staff about the threat and look into IT security options to keep your company safe before a spear-phishing attack strikes. Be vigilant and continually check your network for malware and other hacker delights. Early detection could save you a lot of money. Finally, build an IT plan so that, should your network ever be compromised, you can react as quickly as possible.