How Effective Are Phishing Attacks in 2022?
Over the past few years, spam filters have gotten significantly more effective. This has been good news for email users, but it also has unintended consequences. Because bulk spam emails are unlikely to get through to the recipient, scammers are switching their approach to more targeted phishing operations.
Phishing attacks are designed to look like they come from a trusted source, like a bank, major company, or even the recipient’s employer. This lures the person into a false sense of security. They might click a link and fill out a form with sensitive information, or they might download a file with malicious code hidden inside.
Here, we’ll discuss how effective these attacks have become, who is at risk, and how you can protect yourself and your organization.
Who Is Most Impacted?
In 2021, Cisco published a detailed report on the latest trends in phishing. According to their report, financial services are the most highly-targeted industry, with 60% more attacks than higher education, which is the second most-targeted sector.
Another security firm, Tessian, came up with slightly different numbers since they measured attacks by the number of phishing emails received per worker per year. According to Tessian, retail was the most-targeted sector, with 49 emails per year. Manufacturing came next, with 31 emails. Food and beverage, research and development, and technology rounded out the top five.
What Attachments Are Used?
One common type of malicious file attachment is a PDF file, primarily because of the format’s versatility. For starters, it can be used to gather information by asking a person to fill out a form. In some cases, PDFs can be used to execute JavaScript code, potentially forcing the victim’s browser to perform malicious actions. Or, the scam can be as simple as sending a fraudulent PDF invoice to the billing department at a company, hoping they will pay it without verifying that it’s real.
While PDF files can be dangerous, Microsoft Office files can be even more dangerous in certain cases. Excel and Word files are particularly popular formats among attackers because of their ability to run macros which can allow an attacker to execute malicious code directly on the victim’s computer if the victim enables that functionality. The percentage of these types of attacks increased significantly from 2018 to 2020.
Keep in mind that while email attachments are a common way to execute a phishing attack, that’s not always the case. Actually, only 24% of phishing emails sent in 2021 contained an attachment. The others used links or other methods to execute the attack.
What Data Is Compromised?
According to a study by Verizon the following types of data are most commonly targeted:
- Usernames, pin numbers, passwords, and other credentials
- Personal data such as a name, address, or phone number
- Medical information, including treatment information and insurance records
Security firm ProofPoint recently surveyed several industry leaders whose companies had suffered from phishing attacks. When asked to name some negative impacts of those attacks, these were their responses:
- 60% said that their organizations had lost data
- 52% said that some of their organization’s passwords and usernames had been compromised
- 47% had been subjected to a ransomware attack
- 29% had been infected with malware
- 18% had suffered financial losses
What Are the Costs?
So, what are the potential costs of a phishing attack? According to Verizon, within six months of a successful phishing attack, the average company’s stock price drops by 5%. That’s no laughing matter. And according to the FBI, email scammers swindled more than $1.8 billion from businesses in 2020 alone.
This number will only get higher as scammers get more sophisticated. According to a report by the Anti-Phishing Working Group, the average wire-transfer loss to a phishing scammer rose from $54,000 to more than $80,000 in the first half of 2020 alone. And while this was part of a broader pandemic surge in online scams, the numbers continue to rise.
The same report named several categories of costs, including:
- Intrusion response
- Remediation
- Direct financial loss
- Loss of intellectual property and trade secrets
- Fines and legal fees
- Reputational damage
- Loss of revenue
- Loss of employee time
Of these costs, remediation costs were usually the highest.
Another security firm, RiskIQ, estimates that businesses lose $1,797,945 per minute to cybercrime around the world. For the average company, losses amount to $7.20 per minute per breach.
A 2021 IBM study found that phishing is the second most costly form of data breach. The average phishing breach costs a company $4.65 million. The most expensive type of phishing is “Business Email Compromise,” BEC, where an attacker gains control of a legitimate company email account. The average BEC breach costs a staggering $5.01 million.
Phishing can also cause indirect costs. According to the same IBM study, attacks performed using stolen credentials were the fifth most expensive type of data breach, with an average price of $4.37 million. Many of those credentials are stolen using phishing, so the actual cost of phishing attacks may be even higher.
How to Reduce Your Risk
According to a series of studies there’s no single way to prevent phishing attacks. Instead, the best way to reduce your risk of a breach is to use three different strategies or lines of defense.
The first strategy is to address the weakest link in the chain, the human end users. By training employees to recognize the signs of phishing, there’s less likelihood that a breach will occur to begin with. Employees should be trained on how to identify suspicious emails. For example, if an employee receives an invoice for something they don’t recognize they should follow up via phone to verify its legitimacy.
The second strategy is to use technological solutions to block attacks as soon as they are detected. The sooner a threat is detected, the less damage it will do. For example, suppose a company CEO’s email account gets hacked. For every minute an attacker has control of that account, the company is at greater risk. In fact, IBM’s study found that businesses that used AI-based security software reduced the average cost of a breach from $6.7 million to $2.9 million.
Law enforcement represents the third important strategy. While law enforcement cannot prevent phishing attacks, they can investigate them and bring the scammers to justice. This creates a deterrent effect, which discourages people from engaging in phishing attacks in the first place.
How Pensive Security Can Help
Pensive Security offers multiple services that can help reduce your risk of a successful phishing attack. The best strategy is to incorporate multiple services into a single engagement so that Pensive Security can test your resilience to attack from various angles.
For example, you may consider a penetration test with a social engineering component built in. This allows Pensive Security to test the people and technology you employ for security holes that an attacker could exploit to steal data or deploy ransomware.
Want to get started? Schedule a call with a security expert today or contact us at info@pensivesecurity.io.