By Pete Hugh | October 4, 2017
Nation states. Hacktivists. Cyber criminals.
There are so many players in the modern threat landscape it can be hard to keep up.
And the number of threats? Practically too many to count.
By the time you’ve secured your organization against password reuse, DDoS, and crimeware attacks, your resources are likely so diminished there’s no point even thinking about what else could be out there.
But there’s a problem. An elephant in the room, if you like.
There’s one threat vector that gets minimal attention, and even less budget… and yet is a common factor in almost every data breach you’ve heard about in the last decade.
Threat actors have used phishing for years as their go-to initial infection vector. Why? Because it works. To find out how your organization can mitigate the threat of phishing using powerful security awareness training, register for our free on-demand webinar: Best Practices for Phishing Awareness Training
The Experts’ Take
Now look. We sit here all day, and think about how we can protect our customers from phishing. Of course we think it’s a big deal.
But you don’t have to take it from us that phishing should be at the top of your cyber concerns. Instead, take it from a bunch of other security experts who have no real stake in whether or not you decide to care about it:
“A single spear-phishing email carrying a slightly altered malware can bypass multi-million dollar enterprise security solutions if an adversary deceives a cyber-hygienically apathetic employee into opening the attachment or clicking a malicious link and thereby compromising the entire network.”
― James Scott, Senior Fellow, Institute for Critical Infrastructure Technology
“Almost every breach you read about happens through spear phishing, and the weak link is the human behind the keyboard. Spear phishing always, always works.”
— Anup Ghosh, CEO, Invincea
Convinced yet? No? Fair enough. Let’s take a look at some empirical data instead.
5 Reasons To Start Taking Phishing Seriously
1) The volume of spam emails increased by 400 percent in 2016
— IBM Threat Intelligence Index 2017
Now, of course, not all spam is malicious. In fact, a huge proportion of it is just… well… spam.
But it wasn’t just spam that increased. In addition to a huge spike in overall spam volume, the proportion of spam emails containing malicious attachments skyrocketed as well.
And we’re not just talking about ransomware… in recent years phishing has been the number one distribution method for all malware, at around two-thirds of total distribution.
2) More than 400 businesses are targeted with business email compromise (BEC) scams every day
— Symantec 2017 Internet Security Threat Report (ISTR)
If you thought malicious attachments were the only trick up phishing actors’ sleeves, think again. BEC scams, which spoof trusted email addresses to demand immediate payment of fraudulent invoices, have become hugely popular in recent years.
Does that sound like something that would never work? Unfortunately, it does, and in a big way.
According to the FBI, BEC scams have led to more than $5 billion in losses over the past few years, with over 24,000 victims identified.
3) Volume of W-2 phishing lures increased 870 percent during the early months of 2017
— IRS Return Integrity Compliance Services
W-2 scams are a subset of BEC, whereby phishing actors pose as senior company executives and request employee W-2 forms from payroll or HR employees for the purposes of committing tax fraud. Naturally, this type of scam is typically confined to the first few months of the year.
But here’s the thing. This statistic isn’t really about W-2 scams… it’s about the tendency of phishing actors to constantly change targets and tactics to ensure a consistent (and very high) level of success.
Over the past decade we’ve observed many industries being completely blindsided by a sudden torrent of phishing attacks, simply because one or two phishing actors identified an opportunity, and the rest followed suit. In recent years, this exact process has happened to the SaaS, online services, payment services, cloud services, e-commerce, and financial industries… and right now, nobody knows who will be next in line.
4) Phishing volume grew by a massive 41 percent in Q2 2017
— PhishLabs Phishing Trends & Investigations Report Q2 2017
We’ve been observing phishing trends for over a decade, and in all that time volume has only ever gone up. But 41 percent in a single quarter? That’s huge.
But you know what? It’s not surprising. Not really.
After all, with all the fancy new security products on the market, traditional hacking techniques aren’t as easy to pull off as they were a few years back. Even mid-sized businesses are rocking some pretty advanced security technologies.
But fooling people? That never goes out of style.
5) Almost half of all breaches are caused by phishing
— Verizon 2017 Data Breach Investigations Report
That’s right. We saved the best for last.
A massive 43 percent of all reported breaches utilize phishing. Do I really need to say anything more?
If one threat vector accounts for almost 50 percent of all cyber risk, I’d say it’s about time we all start taking it more seriously.
Time to #FightBack
I hope, by this time, you’re convinced that phishing is a real problem, and one that needs to be addressed if your organization is going to keep hold of its sensitive data.
After all, by 2020 a quarter of the world’s population will have been affected by data breaches… do we really need to make things even worse?
Thankfully, there are plenty of things you can do to minimize your organization’s level of phishing risk. Last October, in honor of National Cyber Security Awareness Month, we put together a bundle of free resources to help organizations and individuals fight back against phishing, including:
- “How To Spot a Phish” video series
- 9 detailed blog post on the most common types of phish
- 7 webinars on phishing best practices, trends, and advice
- 5 white papers on everything from enterprise phishing protection to our SAT buyer’s guide