I know you're probably tired of hearing companies harp on the dangers of phishing, but the truth is, it's a massive, ongoing, and evolving threat that everyone faces every day. We are simply trying to equip people against it. It's shockingly easy for phishers to get the data they're after, as evidenced in this recent post on X:
Thank goodness it was a fake phishing attempt...
The 2024 Data Breach Investigations Report (DBIR) by Verizon dives deep into the current state of cyber security threats, and guess what? Phishing is still a huge deal. In fact, 62% of all social engineering attacks are phishing. So, how are cybercriminals evolving?
Phishing isn’t just about those poorly written scam emails anymore. Attackers are getting really good at tricking people using legitimate-looking websites and spoofed email addresses. The report notes an increase in multi-step phishing attacks, which are basically phishing schemes within phishing schemes. It’s like Inception, but for cybercrime.
Legitimate-looking websites: Attackers are creating websites that look almost identical to the real ones. These sites can be banking portals, social media logins, or even company intranet pages. When someone visits these sites and enters their credentials, attackers capture this information and use it to gain unauthorized access.
Spoofed email addresses: Phishers are getting better at making their emails look like they come from trusted sources. They might use email addresses that closely resemble legitimate ones, often changing just one character or using similar-looking characters to trick the eye (e.g., replacing 'l' with '1' or 'o' with '0').
Multi-step phishing attacks: These attacks involve several stages. For example, an initial phishing email might direct the victim to a fake login page. Once the attacker has the login details, they might send another email from a seemingly legitimate source within the company, requesting additional sensitive information. This layered approach increases the chances of success because each step seems credible and reinforces the deception.
These sophisticated methods often involve multi-step attacks, where an initial phishing email leads to further deceptive actions. The report shows a rise in these advanced techniques, emphasizing the need for organizations to implement advanced security measures, continuously update training programs, and foster a culture of skepticism to effectively combat these evolving threats.
Some industries are being hit harder than others. The financial and healthcare sectors are prime targets because of attackers' financial motivations as well as the sensitive information they handle. Speaking of financial motivations, the average cost of phishing-related breaches has increased from $3.86 million in 2020 to $4.65 million in 2024.
People are still the weakest link. The report reveals that 68% of breaches involve some kind of human element. It just highlights the need for ongoing training and awareness to minimize these mistakes.
Phishing attempts come in all shapes and sizes. To stay ahead of these threats, we need a mix of strategies:
Ongoing training: Keep educating everyone about phishing. Simulated phishing exercises, like that fake vending machine email, are great for practice. Download our Phishing Field Guide to be able to recognize key indicators of phishing attacks and know how to mitigate the associated risk that accompanies them.
Better email filters: Use advanced email filtering solutions to catch phishing emails before they hit the inbox. Keep these systems updated to tackle new tricks.
Multi-Factor Authentication (MFA): MFA adds an extra security layer, making it tougher for attackers to access accounts even if they have the login details.
Incident response plans: Have a solid incident response plan ready. This ensures you can quickly deal with phishing incidents and reduce damage.
Phishing isn’t going away anytime soon, but by staying informed and proactive, we can seriously cut down the risks. Contact us to learn more about how we can help keep your business safe from cyber threats. Remember, the goal is to stay a step ahead and prevent phishing attacks before they happen, making the digital world a safer place for all of us.