The Impact of Phishing, and Why it Should be Your #1 Priority

bigstock-credit-card-data-theft-75494917.jpgNation states. Hacktivists. Cyber criminals.

There are so many players in the modern threat landscape it can be hard to keep up.

And the number of threats? Practically too many to count.

By the time you’ve secured your organization against password reuse, DDoS, and crimeware attacks, your resources are likely so diminished there’s no point even thinking about what else could be out there.

But there’s a problem. An elephant in the room, if you like.

There’s one threat vector that gets minimal attention, and even less budget… and yet is a common factor in almost every data breach you’ve heard about in the last decade.

The Experts’ Take

Now look. We sit here all day, and think about how we can protect our customers from phishing. Of course we think it’s a big deal.

But you don’t have to take it from us that phishing should be at the top of your cyber concerns. Instead, take it from a bunch of other security experts who have no real stake in whether or not you decide to care about it:

“A single spear-phishing email carrying a slightly altered malware can bypass multi-million dollar enterprise security solutions if an adversary deceives a cyber-hygienically apathetic employee into opening the attachment or clicking a malicious link and thereby compromising the entire network.” 

― James Scott, Senior Fellow, Institute for Critical Infrastructure Technology

"Almost every breach you read about happens through spear phishing, and the weak link is the human behind the keyboard. Spear phishing always, always works.”

— Anup Ghosh, CEO, Invincea

Convinced yet? No? Fair enough. Let’s take a look at some empirical data instead.

5 Reasons To Start Taking Phishing Seriously

1) The volume of spam emails increased by 400 percent in 2016

IBM Threat Intelligence Index 2017

Now, of course, not all spam is malicious. In fact, a huge proportion of it is just… well… spam.

But it wasn’t just spam that increased. In addition to a huge spike in overall spam volume, the proportion of spam emails containing malicious attachments skyrocketed as well.

And we’re not just talking about ransomware… in recent years phishing has been the number one distribution method for all malware, at around two-thirds of total distribution.

Spam 400 percent.png

2) More than 400 businesses are targeted with business email compromise (BEC) scams every day

Symantec 2017 Internet Security Threat Report (ISTR)

If you thought malicious attachments were the only trick up phishing actors’ sleeves, think again. BEC scams, which spoof trusted email addresses to demand immediate payment of fraudulent invoices, have become hugely popular in recent years.

Does that sound like something that would never work? Unfortunately, it does, and in a big way.

According to the FBI, BEC scams have led to more than $5 billion in losses over the past few years, with over 24,000 victims identified.

3) Volume of W-2 phishing lures increased 870 percent during the early months of 2017

IRS Return Integrity Compliance Services

W-2 scams are a subset of BEC, whereby phishing actors pose as senior company executives and request employee W-2 forms from payroll or HR employees for the purposes of committing tax fraud. Naturally, this type of scam is typically confined to the first few months of the year.

But here’s the thing. This statistic isn’t really about W-2 scams… it’s about the tendency of phishing actors to constantly change targets and tactics to ensure a consistent (and very high) level of success.

Over the past decade we’ve observed many industries being completely blindsided by a sudden torrent of phishing attacks, simply because one or two phishing actors identified an opportunity, and the rest followed suit. In recent years, this exact process has happened to the SaaS, online services, payment services, cloud services, e-commerce, and financial industries… and right now, nobody knows who will be next in line.

4) Phishing volume grew by a massive 41 percent in Q2 2017

PhishLabs Phishing Trends & Investigations Report Q2 2017

We’ve been observing phishing trends for over a decade, and in all that time volume has only ever gone up. But 41 percent in a single quarter? That’s huge.

But you know what? It’s not surprising. Not really.

After all, with all the fancy new security products on the market, traditional hacking techniques aren’t as easy to pull off as they were a few years back. Even mid-sized businesses are rocking some pretty advanced security technologies.

But fooling people? That never goes out of style.

5) Almost half of all breaches are caused by phishing

Verizon 2017 Data Breach Investigations Report

That’s right. We saved the best for last.

A massive 43 percent of all reported breaches utilize phishing. Do I really need to say anything more?

If one threat vector accounts for almost 50 percent of all cyber risk, I’d say it’s about time we all start taking it more seriously.

Time to #FightBack

I hope, by this time, you’re convinced that phishing is a real problem, and one that needs to be addressed if your organization is going to keep hold of its sensitive data.

After all, by 2020 a quarter of the world’s population will have been affected by data breaches… do we really need to make things even worse?

Thankfully, there are plenty of things you can do to minimize your organization’s level of phishing risk. Throughout October, in honor of National Cyber Security Awareness Month, we’ll be giving away tons of free information and resources on how to fight back against phishing, including:

  • A series of short, 2-minute videos on “How To Spot a Phish”
  • Detailed analysis of real phishing lures on our blog
  • Plenty of activity on our social media channels (#EverybodyGetsPhished)
  • A brand new white paper and webinar on a holistic approach to phishing protection

To make sure you don’t miss out on all this, go ahead and sign up for our Cyber Security Awareness Month mailing list - You won’t be disappointed.

Article Link: https://info.phishlabs.com/blog/the-impact-of-phishing-and-why-it-should-be-your-1-priority