One of the cheapest and most commonly used hacker tools relies more on psychology than software skill. This method of attack is known as spear fishing (“phishing” as hackers spell it). Spear fishing is a fishing operation where targets are carefully chosen and researched before putting together the attack (in the form of a personalized email). A new variation on spear fishing is called smishing. This is a two-step process that does not try to deliver malware (spying software) initially but seeks to get the recipient to reply to the first message. The hackers then respond with another message that does contain the malware. The most expensive aspect of fishing attacks is compiling or buying lists of suitable people and the email address of who the infected email message should come from to get the message or attachment opened. Spear fishing requires a lot more research on the target and these are the people smishing attacks are often aimed at.
Surveys of American companies indicate about 90 percent of them were hit with some kind of fishing attack in 2015. About 23 percent of people receiving a fishing email open it. Over 70 percent of companies do not have the kind of network defenses that will prevent malware from being installed. That is changing as word gets around about the extent of the damage done by fishing attacks.
The best automated defenses are supposed to block the actions of the hacker software that is triggered when the victim clicks on the email or an attachment, but hackers keep finding exploitable vulnerabilities to these defenses and this creates an opening, as least until that vulnerability is recognized and patched.