Phishing is the most common method used to attack businesses. Phishing attacks are performed to steal credentials, obtain sensitive data, install malware, or gain a foothold in a network for a more extensive compromise. Phishing attacks target individuals and exploit human rather than technical weaknesses, and use social engineering to trick people into taking an action that allows the attacker to achieve their aims.
The UK cybersecurity firm Proofpoint has recently published the findings of recent surveys of 600 IT security professionals and 3,500 consumers and analyses of more than 100 million phishing simulations and 15 million phishing emails reported by its customers over the past 12 months.
According to Proofpoint’s 2022 State of the Phish Report, there was a significant increase in phishing attacks in 2021 compared to 2020. 83% of survey respondents said their organization had experienced a successful email-based phishing attack in 2021, up from 57% in 2020. 54% of respondents said they had to deal with more than 3 successful phishing attacks, and 11% said they had experienced 10 or more successful phishing attacks.
In Australia, 92% of respondents said they had experienced a phishing attack in the past 12 months, up from 53% in 2020, and 91% of UK respondents said email accounts had been compromised in phishing attacks in 2021. There was an 18% increase in business email compromise attacks, with 77% of organizations reporting being targeted in BEC attacks and 68% of organizations experiencing at least one ransomware infection. 60% said they paid the ransom – in many cases more than once – and 32% of organizations that did pay the ransom ended up having to pay additional costs to regain access to their systems and data.
There was also a marked increase in telephone-oriented attack delivery (TOAD), that combined fraudulent emails with well-designed malicious websites, remote access software, malware, and call centers providing support for fictitious issues, such as malware infections.
The increase in successful phishing attacks is believed to be linked to the increase in remote working due to the pandemic. More than half of employees at 81% of organizations worked remotely for at least some of 2021. Home or hybrid working introduces risks. For example, only 60% of employees said they had a password on their home network and 42% admitted taking risky actions when working remotely, such as clicking links in phishing emails, or exposing their login credentials.
Alarmingly, despite the increased risks of remote working, 37% of employers provided no training on working from home securely. The lack of knowledge of employees was also highlighted by responses to questions about cyber threats. Only 53% of workers correctly identified what phishing is, compared to 63% in 2020. Only 36% of users were able to correctly identify the definition of ransomware, and just 63% selected the correct definition of malware. Fewer than a quarter of respondents correctly identified the definitions of vishing and smishing.
Training the workforce to be more security-aware is important, as without training employees cannot be expected to know security best practices and how to identify cyber threats. “Employees need immediate clarity on key points like internal email, cloud documents, and the need to take personal responsibility for email security,” said Proofpoint. “More than two-thirds of respondents showed a lack of understanding about the capabilities of technical email safeguards on work accounts. That lack of knowledge is a clear and present danger to organizations around the globe.”