F-Secure recently conducted a phishing simulation attack in collaboration with 4 multi-national organizations. The simulated phishing attacks that targeted 82,402 workers revealed key insights into why phishing attacks remain a prevalent cybersecurity threat.
In the study, the workers were targeted with four types of phishing emails; a message purporting to be from HR, a spoofed document-sharing message, a fake CEO message, and a fake notification of service failure.
From the study, both technical and non-technical teams opened the phishing emails, but non-technical teams reported the attacks more. According to the study, the median reporting time for phishing attacks was 30 minutes’ despite about 25% opening the phishing emails in the first five minutes.
So why do phishing attacks remain a prevalent cybersecurity threat? Let’s look at some of the common phishing attacks and the risks they pose to businesses as well as the possible steps you can take to prevent them.
What Makes Phishing Attacks Effective?
From the study, IT personnel were as susceptible to phishing attacks as those in other departments. This is despite IT and DevOps teams reporting having noticed higher chances of phishing attacks in the past.
What this study highlighted is that general IT literacy and phishing awareness do not reduce susceptibility to phishing attacks. Reporting of these attacks was also almost consistent for both technical and non-technical users.
What made a difference in the rate of reporting was the reporting mechanisms in place. Organizations that had a reporting mechanism for all workers saw staff reporting 47% of the phishing emails as suspicious. Those without a reporting system saw only 11% of the emails being reported as suspicious.
Common Types of Phishing Attacks
Phishing attacks are a form of cyberattacks designed to take advantage of human weaknesses. These social engineering attacks are damaging when successful as they take longer and are harder to detect.
Attackers can target these messages to a blanket group, or design them to attack a specific person within an organization.
1. CEO Fraud
CEO fraud is a type of phishing attack where cyber criminals spoof email accounts to impersonate a company's executive staff. These attacks are a type of business email compromise. CEO fraud has become so extensive that, according to the FBI, it is now a $26 billion scam that has infiltrated all 50 states and more than 140 countries worldwide.
The goal of these attacks is to obtain confidential financial information or funds. Businesses that conduct wire transfers of work with foreign suppliers are the most common victims of BEC attacks.
In CEO fraud, the attackers rely on spear-phishing tactics, meaning they first research the target victim, before reaching out with their impersonation email.
Most people fall for CEO fraud as it takes advantage of the authority an executive has in the company. Criminals exploit this authority and trust to trap the victims into sending sensitive information or money.
2. Document Share Emails Attacks
Document share email attacks mimic notifications from a well-known document sharing brand. These types of attacks are popular as people are more likely to open documents and attachments that seem to come from legitimate parties.
In running file-sharing scams, the criminal must take over an email account. The first step is launching an attack using different forms of phishing attacks, such as impersonating the file sharing service.
When a person enters their login details, the cybercriminal takes over their email account. The criminal then uses the account to send documents with a link to a document to collect even more credentials.
Such attacks can snowball for as long as the attacker wants or until an organization notices the scam. One of the popular document sharing email attacks was the 2017 Google Doc File sharing scam. In the scam, cybercriminals impersonated a Google Docs request.
In the attack, the victims would receive a "notification" that they were added to a document. Clicking on the attached link brought the victim to a Google login screen. The credential theft began when a user entered their username on the login screen. A malicious program would grant access to a user’s email and contacts.
3. HR Phishing Scams
Cybercriminals use HR phishing scams to impersonate HR staff. These attacks are taking advantage of the transition to remote work to get the victims to disclose sensitive business or personal information.
Most of the topics these cybercriminals target in HR-related phishing schemes include:
- Vacation policy updates
- Dress code changes
- Remote work policy update
- ACH payment receipt
- Security training
- Salary adjustments
- Organizational changes
What makes these phishing attacks successful is that criminals design them to feel as natural as HR-employee communication. They address you by your name and highlight issues that would be captivating to the recipient such as the ones listed above.
Such personalization creates an additional element of trust, which increases the chances that those targeted will respond with the cybercriminal's desired action.
4. Service Issue Notification
Service issues are common, which is why cybercriminals disguise their malicious messages as service issue notifications. Some of the commonly associated phishing scams include:
- Server notifications claim that additional safety measures are needed to secure email accounts. However, to keep the account safe, you are required to either provide a recovery mobile number or add another mobile number to prevent the suspension or deactivation of your email account.
- Notification of unreceived/undelivered emails due to system delays. This scam also requires you to click on a provided link to fix the associated "issues". The link leads to a sign-in page that collects your information.
Consequences of Phishing Scams
The study F-Secure conducted was in a controlled environment and no sensitive information was desired from the respondents. However, criminals exploiting social engineering attacks intend to steal personal and confidential business information or money from businesses.
The effects of successful phishing scams are far-reaching, with some businesses failing in the aftermath of these incidents. According to IBMs 2021 Cost of a Data Breach Report, the cost of a data breach rose from an average of $3.86 million to a new high of $4.24 million marking a 10% increase between 2020 and 2021.
Based on the cause of the threat, phishing was the second costliest threat, losing businesses $4.65 million and compromised credentials costing businesses $4.27 million. Business compromise emails, which are considered a type of phishing attack, were responsible for 4% of data breaches, but they cost businesses an average of $5.01 million. Stolen credentials were also the starting point of 20% of the total data breaches.
The damage from phishing scams does not stop at the financial consequence. Most companies that fall victim to a phishing scam take a hit to their reputation as well. Companies that have fallen for phishing scams, subsequently becoming victims of data breaches, become associated with cybersecurity risks which can have lasting consequences on their revenue.
Customers also tend to lose trust in a business that falls prey to cyberattacks. For instance, after the 2018 data breach Facebook suffered, the company’s valuation dropped by $36 billion. The reputational damage gets worse when an organization is known to constantly fall for cyberattacks, thus necessitating the need for a robust cybersecurity program.
The Human Firewall
Cybersecurity training for both technical and non-technical teams is critical as part of a comprehensive cybersecurity plan. But training alone is not enough to help your organization reduce the threat its workforce presents to your security, creating the need for what is referred to as a human firewall.
A human firewall is the employees who support your company’s cybersecurity defense efforts by actively looking out for suspicious email and online threats and reporting incidents that could endanger your organization.
One way of doing this is ingraining in your employees the habit of reporting suspicious activity. Most organizations have cybersecurity drills where they send phishing simulation messages to employees, every quarter.
Such a frequency is not enough to create the habit of automatically reporting suspicious emails. Having the same simulation several times a month is more likely to build the habit and sensitivity to phishing attacks, thus increasing the likelihood that your organization notices threats and stops them before they cause lasting damage to the organization.
Simplifying the reporting process also goes a long way in encouraging users to report suspicious emails they receive. For example, if the report button appears within the email, more employees are likely to report it, which makes the process of identifying, isolating, and neutralizing threats easier.
Phishing attacks continue to succeed against organizations as both technical and non-technical teams are susceptible to these scams. This means that the knowledge of what phishing attacks are and how they work is not enough to fully protect your organization from phishing attacks. Instead, organizations have to look for ways to reinforce cybersecurity best practices. Some of these include repeated phishing simulation drills and establishing a robust reporting mechanism to help employees notify the cybersecurity team when they receive suspicious emails.