If an attacker breaches a transportation agency’s systems, the impacts may extend well beyond...
Why is Phishing Still the Most Popular Attack Method?
Attackers have been known to scour a company’s website and social media networks. Perhaps they come upon an announcement of a forthcoming charity event. Who manages the charity? How does their email signature appear? What color and size does the charity’s logo have?
For attackers, this type of information is precious. Attackers can then craft a customized message. They may also call you to follow up. Even if they have been warned about frauds, the prey may click on something they should not.
According to this year’s IBM Security X-Force Threat Intelligence Index, phishing is the most popular approach for threat actors to acquire access to victims’ networks. This method was used in around 41% of the attacks that X-Force remediated last year.
This figure, which is up from 33% in 2020, includes all types of phishing, including mass emails and highly targeted ones. Some of the world’s most sophisticated cyber threat actors utilize phishing to distribute ransomware, malware, remote access Trojans, or dangerous links.
For one simple reason, phishing is at the top of the list.
“It works,” said Stephanie Carruthers, an IBM Security X-Force Red global social engineering expert. Phishing assaults are becoming more complex, with bad actors becoming more organized, imaginative, and targeted. In red team attack simulations for IBM clients, Carruthers uses intelligence-gathering methods and strategies.
These simulations fool more people than you may think. Almost one in every five people click on X-Force Red’s targeted phishing efforts. When the attack includes a follow-up phone contact, one in every two persons is duped.
Despite decades of security development, phishing has persisted since the 1990s. However, this is not due to gullibility, according to Camille Singleton, manager of the IBM X-Force Cyber Range Tech Team.
“Threat actors are simply really excellent at this,” she explained. “They are constantly increasing their offensive talents and tools.”
The four reasons listed below show why phishing is still a severe threat:
- Remote work provides an opportunity for attackers. In the age of remote and hybrid work, companies rely significantly on email, and Carruthers claims that attackers are sending more emails to take advantage of this dynamic. Meanwhile, with fewer watercooler talks, employees have fewer opportunities to gently notify them other of a strange email that has arrived in their inboxes.
- Cybercriminals are improving their skills. Phishing assaults are more likely to succeed when psychological manipulation techniques are used. Following up on a phishing email with a phone call or text message is one of these strategies. When Carruthers and her colleagues include follow-up voice calls in their simulated targeted phishing emails, the click rate jumps to 53.2%. This is three times greater than the 17.8% click rate produced only with targeted emails. “People have even commented to me during assault simulations, ‘I thought that email you sent seemed weird, but thank you so much for contacting me.’ People don’t suspect a kind voice,” Carruthers added.
- Black-market organizations are becoming more professional. Because the black market has grown to meet demand, threat actors no longer require a particular technological skill set. On the dark web, cybercriminals may easily purchase a phishing instruction package replete with helpline assistance. “You’d assume these crooks would be shady or unorganized on the dark web,” Carruthers added. “However, some behave nearly like a professional business.”
- Security training isn’t creative enough. As email scam tactics get more complex, security training has not kept up, according to Carruthers. Many businesses provide security training to their personnel on a yearly basis, hoping that the timetable will provide protection. “There hasn’t been much innovation in that area,” she explained. “You can patch computers and servers, but you can’t patch people.”
Build Stronger Nets to Keep Phishing Emails Out
A phishing email is only the beginning of a cyberattack. Threat actors then launch the next step of an attack, such as ransomware or data theft, once inside. According to the Cost of a Data Breach Report, data breaches caused by phishing schemes cost businesses an average of $4.65 million.
Unfortunately, no single technology or solution can protect against all types of phishing assaults.
“Phishing presents this really interesting intersection of human and technical challenges,” said Charles DeBeck, senior cyber threat intelligence strategic analyst with IBM Security X-Force. “That’s what makes it so challenging to defend against.”
According to IBM Security X-Force, a layered strategy is recommended, beginning with a security solution to filter out harmful messages. Zero trust security solutions keep attackers out of the system by constantly confirming users’ identities and limiting the number of persons who can access valuable data assets. This verification is supported by techniques such as multi-factor authentication.
In the case of a breach, having a developed zero-trust plan saves money. According to the Cost of a Data Breach Report, organizations that use zero trust spend $1.76 million less than those that do not.
“Whatever you use to safeguard your business, don’t just buy it, plug it in, and cross your fingers,” Carruthers said. Regular testing is important.
“Attackers become more sophisticated; they figure out how to get around filters and other equipment,” she continued. “Continued testing to ensure they’re tuned is really important.”
Lastly, a staff training program based on real-world examples is required. According to Carruthers, the more employees who see the damage that attackers might cause, the more likely they are to recognize and report threats.
Carruthers cites one of her clients’ smart solutions: “Every time an employee receives a phishing email, the company takes a screenshot of it and breaks down all the red flags that employees should have spotted.” She claims that well-trained and vigilant employees can thwart a lot of phishing schemes, including her own.
Here at CourseMonster, we know how hard it may be to find the right time and funds for training. We provide effective training programs that enable you to select the training option that best meets the demands of your company.
For more information, please get in touch with one of our course advisers today or contact us at training@coursemonster.com