Phishing Attacks Soar in 2017
Last year was the realisation that phishing was well and truly and major treat. Being declared ‘mainstream’ at the end of 2016, attacks have since skyrocketed.
As the global cost of cybercrime rose by 23% this year, phishing attacks, considering their rise to fame in 2016, were bound to see an increase.
Whilst other attacks can cost more, malware averaging £1.8million and web attacks £1.5million compared to phishing at £1.2million, spoofing and impersonated attacks are far more prevalent. In a recent Email Security Report by Ironscales which surveyed 500 cybersecurity professionals, phishing attacks accounted for 90-95% of all successful cyberattacks across the globe.
Despite having a lower average industry cost compared to other forms of attacks, the number of successful attacks is just one factor that makes phishing so dangerous. Spoofing emails distributed to employees in an organisation to the longest to resolve.
In an average phishing email distribution, an organisation can expect to spend more than 50 days trying to resolve it. Most other attacks take less than half the time.
Email remains the most commonly exploited method of attack and this is due to cyber criminals being aware of it successful track record. In a spear-phishing email distribution, surveys have found that of 50% of victims who receive the message will open and click on the link within the first hour of receiving it.
Some emails will be circulated to solely spread malware, whereas some are used in a much more sinister and underhand way that trick employees to gain credentials and sensitive corporate information.
As employees become more expectant of phishing emails and are becoming wiser to what to look out for in a phishing email, criminals are quick to change to new ways to disguise malicious emails.
New methods are being created in the dark corners of the web that find unsuspecting ways to spread malware and cause havoc.
The year saw the emergence of SMS text phishing, AKA Smishing. The distribution aims to make widespread ransomware attacks to unsuspecting users over mobiles and portable devices. Since January smishing has risen 250%.
Considering the amount of successful phishing attacks out there, not many organisations will own up to being a victim as they try to maintain their reputation. So far in 2017 however, a number of well-known corporations have slipped the net.
Amazon: In January this year's, hackers went for Amazon customers by creating ‘legitimate’ looking deals of discounted items. They accessed buyer’s sensitive data by encouraging shoppers to input personal information when the item was marked as no longer available.
Google and Facebook: Employees for the tech companies fell victim to fraud after being targeted by a hacker that coaxed them to wire money to overseas bank accounts.
Google Docs: Google were targeted once again in May when phishers sent a stream of fraudulent email invitations to edit Google Docs. Upon opening, the link to a disguised third part app gave the fraudsters access to the victim's Gmail accounts.
The rapid increase seen in phishing attacks over the past years can be down to its proven success rate. As word spreads among the hacker community, more and more are realising this relatively low-cost method to gain access to users data.
The reason the success rate is so high among these attacks is due to these fraudulent emails not being dealt with fast enough. Many security teams have admitted it takes them over XX days to deal with suspicious messages.
It’s no secret how stretched many security employees are, with many organisations running under-staffed IT security teams. With more than 25% of phishing emails getting past cyber defences, this rise in attacks is causing the teams even more work.
Despite many legacy defence systems being in-effective and teams lacking in specialists and specifically trained employees, with phishing attacks preying on the human touch that is still needed with most technology, evading an attack can be difficult.
What target industries: in a report by Kaspersky, 1 in 8 targeted financial services. Energy and industrial. Retail. Public services. Social media platforms.
Still plenty of the year left, but already in 2017 we have seen a number of attacks.
It’s not all doom and gloom. Some companies have reported that they have the ability to remove a phishing email attempt in as little as 30 minutes. This 22% of organisation are the ones running next generation technology with properly educated employees who know what to look out for.
With still plenty of the year left, there is no doubt going to be a continued increase in attacks.
Whilst reports have found the financial industry being the biggest target with irs access to sensitive data and large sums of money, 1 in 8 attacks have involved this sector. Finance is not the only one however, the energy and industrial sector, retail, public services and social platforms have also been popular targets.