When we think about cybersecurity and protecting a business or organization, we tend to look at the most complex things, more so than the simpler, fundamental threats. Phishing is an example of a simple but highly effective threat.
In 2020, as the world went remote, 75% of organizations globally experienced a phishing attack. An estimated 74% of attacks targeting organizations in the U.S. were successful.
Phishing attacks affect all types of organizations. These tend to be successful no matter security training, industry, or organization control.
There are things companies can do to safeguard against phishing. Using layered protection with single sign-on and multi-factor authentication are two of the most important.
The following are some things to know about the threat landscape in 2022 and how to prepare for what's ahead in terms of phishing and cybersecurity in general.
Phishing Prevalence
Above, we mentioned the prevalence of phishing attacks in 2020. In 2021, the numbers were even higher and second to those types of attacks was malware.
More companies in 2021 experienced a breach related to phishing than any other type of attack.
While ransomware attacks were high-profile in 2021, just 13% of organizations surveyed by Dark Reading said they'd had a breach related to this type of attack in the past year.
While we talk a lot about them, targeted attacks don't appear to be especially prevalent right now, especially when compared to phishing.
The reason phishing attacks are likely so common and even growing is because of remote work. Remote work, which sped up rapidly during the pandemic, creates new opportunities for cybercriminals. Employees aren't working from a physical office every day. As a result, you don't have as much control over them or their device use.
There are also new risks that an attacker can exploit when you're scaling. For example, each time you add a new user, you also add a potential security gap.
Phishing Attacks Are Expensive
Along with being common, phishing attacks are also expensive. Even when an attack isn't successful, it can still be costly for you as a business. In the 2021 Ponemon Cost of Phishing Study, researchers found the cost of these particular attacks has gone up nearly four times in the past six years.
U.S. businesses lose an average of $1,500 per employee each year to phishing.
Starting in March 2020, the enormous increase in the volume of emails being sent may have had something to do with this too. More email was coming into businesses, meaning more opportunities for employees to come in contact with phishing messages.
There were hundreds of billions of emails sent every day in 2020. This trend is only going to go up in the next few years.
In 2022, the following are some specific phishing trends to be mindful of.
Secure Email Gateways Are Losing Reliability
If a business relies on a Secure Email Gateway or SEG, they should be aware reliability is on the decline. SEG is very vulnerable to cybercrime, and more and more phishing emails seem to be passing through.
Cybercriminals have been focusing their attention for years on how to get past security tools like an SEG, and now they're finally figuring out how to really do that with a high rate of success.
Venture Beat says more than two million malicious email messages were able to get past traditional email defense, including security email gateways between July 2020 and July 2021.
In April 2021, researchers found a phishing campaign that appeared as a SharePoint-related message. In the attack, the message could get past security email gateways, including the SEG Microsoft uses.
Acceleration of Ransomware
While ransomware wasn't the most common type of attack, it can actually be a subcategory of phishing. These types of attacks are likely to become more prevalent within this context.
In the Emerging Risks Monitor Report from Gartner, it's suggested the threat of new models of ransomware remains the primary concern businesses face in the coming years.
In 2021, the pace of ransomware attacks grew by 767%.
Deepfakes and Brand Impersonation
Brand impersonation isn't new, but it's still effective for bad actors. An employee is much more likely to trust a message they get from a brand they know and interact with, so criminals can use that to their advantage.
According to the Verizon Data Breach Investigations Report in 2021, there's a type of brand impersonation called Misrepresentation, which is significantly more common than it was just a year ago. This is a type of social engineering. It's used as a step before business email attacks.
In one example, a bank manager in the United Arab Emirates was scammed into transferring $35 million. Hackers used voice cloning and AI in the theft.
Hackers will likely continue to exploit AI and deepfake technology to access sensitive data.
As far as email implications, cybercriminals may be able to use language learning to develop brand impersonation emails that seem very realistic. The technology can compromise mail servers and run man-in-the-middle attacks.
Initial Access Brokers
Phishing attacks are big business. Rather than a single hacker sending these attacks out, what's instead happening is that there are large organizations that make ransomware and data breaches their business. These groups will work with experts, including initial access brokers.
An initial access broker is a hacker that helps breach a company network, and then once they do, their employer, which is the criminal organization, is given access.
In 2022, to combat against phishing and all other types of attacks, first, you want to get back to the basics.
From there, you might also consider building out a Zero Trust security framework. With Zero Trust, any device or user trying to connect with systems and applications is vetted and verified. Then, devices and users are also continuously scanned for any suspicious activity.
Zero Trust is the best way to protect your assets in a distributed and remote work environment.
