According to the 2021 Verizon Data Breach Investigations Report, more than 85% of breaches during the assessed period involved a human element[1]. Additionally, social engineering (typically via phishing emails) ranked a close third as the primary vector for damage, behind denial of service (DoS) and web application attack vectors.
Attackers are increasingly turning to phishing as the way into organizations' networks and, unfortunately, many organizations are making it easy for them to do so. One example of this is that attackers recently discovered that they could spoof the legitimate domain names of any Google Mail (aka, Gmail) account--even those used by many well-recognized brands. Cybersecurity researchers detected a significant increase in phishing emails from legitimate email addresses and upon deeper investigation, found that these malicious communications take advantage of a flaw in a popular Google service and a lack of sufficient security measures by the impersonated brands. [2]
What's a security conscious organization to do? Several mechanisms for protecting innocent users do exist, including DMARC, Sender Policy Framework (SPF), and DomainKeys Identified Mail (DKIM), which can assist receiving email servers in knowing when to reject spoofed emails. These solutions can even enable email server owners to report the malicious activity to the impersonated organization.
If you need help identifying ways your organization can better secure its communications, the Webcheck team has years of experience and a wealth of knowledge to assist in that endeavor. Reach out to discuss your options and you'll find we can streamline your protection efforts!
Sources: