*Post Updated in April 2021
During this pandemic, there has been a 220% increase in phishing attacks during the peak of the pandemic. Even with the development of new and sophisticated cybersecurity technologies to keep the bad guys out of our networks, phishing is still the most common and successful type of attack. Why is this so?
Well, because it works! To put it simply, phishing scams are very versatile and can be easily altered to suit the type of employee that it targets. Cybercriminals prefer phishing attacks because it can be entertaining to breach a human and make the malware seem more inconspicuous.
Here are a few underlying reasons why Phishing attacks work so well.
1. Phishing attacks are not a one-shot-only approach
One of the most significant advantages of phishing attacks is that attackers can easily customize them to suit their intended victim. For example, suppose criminals are planning on targeting an employee in the marketing department. In that case, they’d alter the email to include something related to that department, leadership team, upcoming event or project, etc to make it look legitimate. Similarly, if they target someone in sales, they would change the content and make it more appealing to this specific department’s employees, job responsibilities, etc.
In addition to customizing the emails to suit the different employees they are targeting, criminals can also alter the emails to take advantage of real-life crises. During the onset of the pandemic, there was an exponential increase in the number of phishing emails related to COVID-19. RiskIQ analyzed 89,658 spam emails in just their inbox containing either “corona” or “covid” in the subject line. These emails were made to deliver malware, harvesting credentials, or ask for donations to fake charities.
Due to this versatility, criminals can take advantage of the unfamiliarity that plagues the modern working environment, and the efficacy of these attacks can be understood.
2. There are different avenues for attack
In addition to the different types of phishing, like whaling and spear phishing, there are multiple avenues through which criminals can attack. Although phishing emails are the most common, phishing attacks also occur through SMS, Social Media, and even phone calls. According to Verizon, 33% of breaches in 2019 consisted of social media attacks. 60% of enterprises also reported phishing attacks that took place through Whatsapp and messenger (Smishing) and phone calls (Vishing) all in 2020.
3. The lack of Cyber Culture leading to human error
Employees are only going to be as adept as the training that is provided to them. In an organization where cyber awareness isn’t valued, the risks will be tenfold as the employees wouldn’t have been trained on what to do, or not to do.
Sometimes, the training offered by organizations isn’t really effective. A 2010 Mckinsey and Company report found that only 25% of companies felt that training programs had a measurable improvement in performance. The reason stated by the employees was that while the training was informative, the material was dense and not easy to retain. Organizations can instead go beyond this traditional sense of training and offer new and engaging ways for employees to learn. They could teach different materials using micro-learning (learning small size units) to teach employees about relevant material.
It is a common practice for companies to send phishing simulation emails to their employees regularly to keep them on their toes. This helps them recognize phishing emails that reach their inbox and how to act appropriately in these scenarios. However, even if they properly exercise phishing simulation training, they have to properly analyse the data obtained after the simulations to narrow down their weakest link and improve them. It is, thus, up to the organizations on how prepared they want to be in dealing with these problems.
What kind of damage can phishing attacks cause?
Phishing attacks are done ultimately to take money away from companies and individuals by illegally extracting data from them. This data breach can cause enormous losses to organizations through the financial sense and loss of potential future profits as the organization would lose its reputation.
According to research conducted by Cisco, around 53% of all attacks resulted in financial losses of more than $500,000 USD and loss in customer opportunities. When an organization is exposed to a data breach, it showcases to all potential customers that their data won’t be in safe hands if they do business with them. There have also been instances where a company’s stock price dropped after disclosing a data breach. The share price of companies that were hit by data breaches fell by 3.5% on average.
With the emergence of the data regulations such as the General Data Protection Regulation (GDPR), companies that undergo data breaches are exposed to heavy fines. This is done to minimize lax cybersecurity that could be present in organizations. Companies that breach the GDPR, for example, pay a fine of 20M Euros or 4% annual turnover, whichever is greater. A famous example would also be Equifax’s agreement to pay $575M as a consequence of the data breach that took place in 2017.
Since every single person who has access to any form of data is a target for phishing attempts, the responsibility to prevent breaches because of the attacks falls onto every single individual in the organization. Therefore, maintaining employees’ cyber awareness level is crucial to defend the company against the looming cybercrime threats.
It is paramount that organizations help prepare their employees to prevent and identify these types of frauds. The more established the Cyber Culture is within your organization, the more adept the employees will be in protecting your valuable data.