5 Reasons Phishing is Your Biggest Cybersecurity Problem
Published 08/17/2023
Originally published by Abnormal Security.
Written by Callie Hinman Baron, Content Marketing Manager, Abnormal Security.
Phishing attacks generally don’t make the headlines. And if you ask a security professional to rank email attack types by the level of threat they pose to their organization, a significant percentage are going to place phishing at the bottom of that list.
But phishing attacks are a much larger issue than a lot of businesses realize. In fact, it’s not an exaggeration to say that phishing actually represents the biggest threat to your cybersecurity.
Here are five reasons you need to make preventing phishing attacks a priority.
Phishing Attacks Can Be Highly Targeted
Although some attackers still opt for simple phishing campaigns that cast a wide net and require minimal effort, many of today’s threat actors choose to launch more focused and personalized attacks—referred to as “spear phishing”.
Once a target organization is identified, attackers harvest information from social media platforms, news outlets, and the company’s own website to craft malicious messages that contain timely information relevant to the targeted employees and appear to come from known sources.
For example, a bad actor might impersonate a member of the organization’s IT team and send an email with an urgent message to install an important security patch—which actually infects the employee’s computer with malware. Or an attacker may pose as the company’s HR director and invite employees to view time-sensitive documents via an enclosed link—which redirects them to a phishing page that steals their login credentials.
In both cases, the threat actor exploits implicit trust to make the target think the email is legitimate and creates a sense of urgency to encourage the employee to act quickly.
Today’s Phishing Attacks Are Much More Convincing
In the past, phishing emails often contained several indicators that the message was malicious—e.g., the text had numerous misspellings and poor grammar and the email was from an unknown sender.
But today’s threat actors take advantage of online translation services like Google Translate and AI tools like ChatGPT to craft messages with perfect spelling, grammar, and syntax. They also spoof email addresses of trusted parties, hiding their true identities behind usernames and URLs with minor misspellings or character substitutions that are easily overlooked. Additionally, attackers leverage sophisticated social engineering tactics to prey on emotions and manipulate employees into fulfilling their requests.
Even if attackers choose to target a broader audience and impersonate a brand rather than a specific individual, they can design detailed phishing emails and intricate phishing sites that are nearly indistinguishable from the impersonated brand’s actual messages and website.
In short, bad actors have learned how to create phishing emails that wouldn’t raise any level of suspicion in the majority of employees.
One Successful Credential Phishing Attack Can Grant Access to Multiple Accounts
An email account acts as the hub for just about everything the average professional needs to do their job. Employees use their email to log into applications, link business accounts, and reset passwords. This means stealing login credentials and compromising an email account provides a multitude of opportunities to move throughout the entire application ecosystem and gain access to nearly every other account an employee has.
For instance, compromising a Microsoft 365 email account also gives the attacker access to tools like Teams, SharePoint, and OneDrive from which to harvest sensitive information and valuable data.
Additionally, once a cybercriminal has compromised an email account, they can create inbox rules that automatically forward correspondence to an alternate account, which allows them to continue collecting information without the employee knowing. They can also easily reset passwords for other accounts and lock out the real account owner.
And considering the fact that 54% of all employees reuse passwords across multiple work accounts, threat actors may not even need to change any passwords to be able to log into other accounts.
Phishing is the Most Common Type of Cybercrime
For the past two years, phishing has been far and away the most prevalent email attack type detected and blocked by Abnormal, accounting for 70% of all advanced attacks in the second half of 2022.
And since 2019, phishing has been the number one cybercrime reported to the FBI Internet Crime Complaint Center (IC3), growing by 162% between 2019 and 2022. In fact, the FBI IC3 recorded over 300,000 phishing incidents in 2022—more than five times the second most common type of cybercrime.
It’s true that, in terms of total losses, phishing falls squarely in the bottom third of all attack types tracked by the IC3, which is likely why many organizations don't regard it as a serious threat. However, what security leaders must remember is that phishing is frequently just the first step in a variety of crimes and is often used more as a “foot in the door” technique rather than the end goal.
Phishing Opens the Door to More Damaging Attacks
Although organizations often dismiss phishing as a threat because they don’t consider it to be as serious as some other attack types, the reality is that phishing emails are usually just the first stage in larger, more costly attacks.
Every email account takeover starts with a successful login, which requires valid credentials—and phishing emails are one of the most popular (and effective) ways for attackers to acquire those credentials. With the account compromised, threat actors can use that email address to send other email attacks in which they impersonate real employees and hijack ongoing conversations.
Attackers can also use phishing emails to steal login information for an organization’s banking or payment portal. With a valid username and password, bad actors can transfer money to their own accounts, redirect incoming payments, send fraudulent payment requests, and steal sensitive financial information to use in future attacks.
And according to the Cyber Resilient Organization Study from IBM Security™, 45% of ransomware attacks were initiated using phishing or social engineering.
Save Your Organization from Costly Consequences by Blocking Phishing
Traditional email security technologies like secure email gateways (SEGs) can effectively block basic phishing attacks that contain obviously malicious links or attachments and/or come from domains with known-bad reputations.
However, legacy systems lack the functionality to detect and stop sophisticated phishing messages that utilize more advanced techniques like social engineering and email spoofing. And when an employee engages with a phishing email, it immediately puts the organization at considerable risk. Whether they impersonate a known brand, an internal system, or a trusted individual, stopping phishing attacks before they reach employee inboxes is the key to staying safe.
About the Author
Callie Baron is the Content Marketing Manager at Abnormal Security, where she owns the strategy and execution of the Abnormal Blog, helping build brand awareness and strengthening Abnormal's position as a thought leader. She is a seasoned writer and content strategist with extensive experience creating short- and long-form content exploring a broad range of topics, including B2B technology, cloud solutions, cybersecurity, e-commerce, fintech, and more.
Related Articles:
The Evolution of DevSecOps with AI
Published: 11/22/2024
It’s Time to Split the CISO Role if We Are to Save It
Published: 11/22/2024
Establishing an Always-Ready State with Continuous Controls Monitoring
Published: 11/21/2024
Why Application-Specific Passwords are a Security Risk in Google Workspace
Published: 11/19/2024