As you’ve probably heard, social engineering attacks are one of the most widespread and impactful forms of cybercrime that all organizations currently face. The most recent phishing statistics from top research firms help illustrate the scope and danger of this threat.
Phishing Attack Frequency
A recent study by APWG saw a record number of phishing attacks in Q3 2022. Also, as seen in recent research from IRONSCALES, 81% of organizations around the world have endured an increase in phishing attacks since March 2020. However, almost 1 in 5 organizations only deliver phishing awareness training to their employees one time each year. This, while according to Verizon’s 2022 DBIR, 82% of data breaches involve a human element—which most often includes phishing and/or the use of stolen credentials.
82% of data breaches involve a human element—which most often includes phishing and/or the use of stolen credentials.
The FBI’s Internet Crime Complaint Center (IC3) recently created an Internet Crime Report that found that phishing, including vishing, SMiShing and pharming is the most prevalent threat in the US, with 323,972 victims. This is an increase of 34% compared to the previous year.
One major outcome of such attacks is that organizations are experiencing more data breaches caused by stolen credentials. According to research by IBM, one in five companies that suffer a data breach was compromised because of lost or stolen credentials (which are often the target of phishing), while only 17% are compromised through a direct phishing attack alone.
The majority of social engineering attacks come through email, yet we are seeing a disturbing trend in which one-third of IT professionals have seen an increase in social engineering via other communication platforms. Included in this population are video conferencing platforms (44%), workforce messaging platforms (40%), cloud-based file-sharing platforms (40%), and SMS (36%).
Email does hold its place as the number one method by which attackers phish their victims, with many of those attacks starting with a “recon” or “bait” email. Bait emails verify the existence of the victim’s email account and can help attackers gather more information about a victim. It seems that 91% of bait emails are sent via a Gmail account, with just 9% coming from other sending domains.
Outside of email, in Q3 2022 APWG detected 415,630 unique phishing websites--sites which trick users into believing they are entering sensitive data on a legitimate site.
The Victim Profile
Research from BDO found that six out of ten mid-sized businesses in the UK have been directly attacked by fraudsters—with an impact of losses of 245,000 pounds on average. Almost 40% of all companies included in the survey revealed they’d experienced increased fraud attempts compared to the past.
A report from Microsoft, titled New Future of Work, found that 80% of security professionals have seen an increase in security threats since the major shift to remote work. Of the 80%, 62% of those professionals also say that phishing campaigns have increased the most.
80% of security professionals have seen an increase in security threats since the major shift to remote work
Protect Your Organization
While no single solution can address all forms of phishing, a multi-layered (sometimes referred to as an “onion”) approach to phishing defense seems to be most effective. Here are some examples of effective defense layers:
Use a Secure Email Gateway
Secure Email Gateways (SEGs) are tools that monitor inbound and outbound emails, scanning them for malicious content. Modern SEGs are quite capable of detecting spam, phishing, or malware threats, which are then quarantined or blocked.
Unfortunately, sophisticated spear-phishing attacks are able to evade SEGs by impersonating known trusted senders.
Cloud Email Security Options
Many cloud email security solutions are excellent “post-delivery” options. These sit within your network inbound, outbound, and internal communications for malicious content. Many of these tools use artificial intelligence (AI) and machine learning to analyze individuals’ communication patterns and improve detection over time. Some can also analyze other internal communications channels, like direct messaging through applications like Slack.
Security Awareness Training
Employees are possibly the most critical part of your cybersecurity defense strategy. Phishing awareness training and simulation platforms deliver engaging simulated phishing campaigns to turn members of your organization into defenders of your data.
A recent report from Cofense (formerly PhishMe) analyzed millions of results from their own simulated phishing campaigns and found that 82% of trained employees reported a simulated phish within an hour of receiving it, 52% reporting within 5 minutes, and 19% within 30 seconds.
The success of awareness training is further supported by researchers across the security industry, which generally show that after completing one year of phishing awareness training the average improvement rate across all industries and organization sizes was 85%.
Webcheck Aware is an affordable and customizable phishing simulation platform that can help you improve phishing awareness maturity for your personnel. Contact us today for a free quote.