The threat from phishing has been growing steadily over the past few years, but a new report from Mimecast shows the threat is greater than ever before with more phishing attacks on businesses than any other time in history. The report shows there has been a 400% increase in phishing attacks on businesses in Q2, 2017.
For the study, Mimecast analyzed the inbound emails of 44,000 business users. That analysis showed cybercriminals are increasingly targeting employees using highly sophisticated methods to get them to reveal their login credentials or install malware.
It is now increasingly common for threat actors to impersonate C-level executives, business partners or employees to add more authenticity to their requests. When an email appears to have been sent by a c-level executive, many employees would not think twice about responding.
In addition to gaining access to corporate email accounts and networks, cybercriminals try to fool accounts and payroll employees into making fraudulent bank transfers. A single successful phishing attempt can cost an organization many thousands of dollars. In the case of bank transfers, the losses can be even higher. Some companies have made transfers of millions of dollars to the threat actor’s account in the belief the request was genuine.
The Mimecast analysis revealed that while many companies have email security solutions in place to stop spam emails from being delivered, messages are still reaching end users’ inboxes.
The firm uncovered almost 9 million spam messages, 8,318 malicious file types and 487 unknown malware samples attached to emails, highlighting the scale of the problem. In its report, the firm said its research “reinforces the concerning reality that the industry must work towards a higher standard of email security, as 90% of attacks start with email.” The study also showed that organizations are struggling to stop spam and malicious messages from being delivered to inboxes.
Mimecast said “this latest ESRA analysis reflects how impersonation attacks are getting through existing email security defences at an alarming rate. If a CISO isn’t reviewing its current email security solution on a 12 to 18-month basis, they may be surprised at what threats are now getting into employees’ inboxes.”
While organizations should review their email security solutions, they must assume that no solution will be 100% effective, 100% of the time. In addition to using an effective email security solution, organizations should ensure employees receive security awareness training. Phishing email simulations should also be conducted to ensure training has been understood and to give employees practice at identifying email threats in a safe environment.