Posted on May 18, 2022
The “2021 State of the Phish Report” (covering 2020) was headlined “A Year Like No Other” – a reference to the radical changes to phishing triggered by COVID. The first paragraph of the 2022 report claimed, “We could easily have repeated that heading to describe 2021.”
Trends from that first, awful pandemic year have continued. Many phishing attacks exploited the uncertainty around the pandemic, and the ongoing prevalence of remote work has created many opportunities for cybercrime.
In this post we’ll share a few highlights and discuss ways to avoid falling victim to these and other phishing attacks.
Upward trends continued for all different types of phishing, including:
All types of phishing showed increases. Bulk phishing was up 12%, spear and whale phishing increased 20%, and smishing, vishing, and social media attacks were all up over 20%. Business email compromise was up 18%.
TOAD attacks (telephone-oriented attack delivery) were also up. TOAD attacks often begin with an email claiming to represent some organization such as an online retailer, COVID relief fund or computer security service. The emails contain a phone number to call. Because many people are not aware that cybercriminals have call centers, they assume that the organization is above board and legit. As a result, when an email recipient calls, they may give away sensitive information or even allow the attacker to connect to their computer for “support.” Tens of thousands of TOAD attacks have been logged every day.
Another phishing variant that’s on the rise is the USB drop. In a USB drop, the attacker either sends someone a USB drive in the mail or leaves one sitting around where a victim is likely to find it. People who find a thumb drive may plug it in, either in hopes of finding the owner and returning it or to use it for themselves – without considering that it may be malicious. Thumb drives sent in the email are usually accompanied by some cover story or incentive to encourage people to open the drive. Once the drive is inserted, it may install malicious code, allow hackers to take control of the computer, or direct the user to a phishing site where they are tricked into entering login credentials. USB drops were up 15% last year.
85% of companies surveyed experienced bulk phishing attacks, and spear phishing, BEC, and email-based ransomware attacks were each experienced by about 78% of respondents.
Among the most alarming information reported was the dramatic increase in attack success rates. 80% of organizations fell victim to at least one successful email-based phishing attack, dramatically up from 46% in 2020.
68% of successfully attacked companies surveyed were infected with ransomware, and 58% of them paid up to get access to their data. That means nearly 40% of companies surveyed had paid a ransom at some point during the year. A smaller percentage of companies, 14% of those that paid a ransom, did not get access to their data despite paying the cybercriminals.
The alarmingly high percentage of companies that paid a ransom contributes to the ongoing ransomware problem. Payments reward attackers, which, of course, encourages repeat behavior.
Two primary reasons are suggested for the increase in phishing success rates.
One small bright spot is that damages per attack fell to some extent in 2021. Damage from credential compromise dropped by 8%, direct financial loss decreased by 6%, and email-driven ransomware infections were 2% lower versus the previous year. It is small consolation, however, in the face of dramatically higher success rates of attacks.
The most common results of successful phishing attacks were compromise of customer or client data (54%), followed by credential or account compromise (48%), with ransomware (46%) in a close third place.
Many companies consider “trained users” to be the first line of defense against phishing. Sadly, the survey conclusively demonstrates that it is folly to rely on users to recognize phishing and steer clear.
Only half of users were able to correctly say what “phishing” is. Just a little over one third could do the same for “ransomware.”
Almost one third of working adults – 30% – are under the impression that emails with familiar logos are safe. They do not understand (and phishing training has not made it sufficiently clear) that cybercriminals can simply copy a Google or Microsoft logo and easily misrepresent malicious emails as legitimate communications.
Over a third of respondents (35%) believe that all files stored on a cloud service such as Google Drive or Amazon Web Services are safe. This goes a long way toward explaining why attacks using legitimate services have such a high success rate.
70% of users are not aware that their organization’s security tools might let through some dangerous email. Only 36% are aware of the fact that even internal emails can be dangerous.
The lack of knowledge among users is reflected in their failure to follow good personal cybersecurity practices. Even with the great shift to work from home, most have not taken basic steps to secure their home networks, including changing default names and passwords. 70% of users reuse passwords, so that if one password is compromised, their identities may be compromised on multiple services and sites.
Phishing was a major threat in 2020, and it grew substantially worse in 2021, increasing in both the number of attacks and their rate of success.
Data confirms what we have long claimed: Users are an unreliable line of defense against phishing attacks. 42% of users said that they had taken a dangerous action in the last year, such as clicking on a malicious link, downloading malware, or exposing their personal data.
Instead of trusting users to do the right thing, it’s better to take a Zero Trust defensive approach, which assumes that every user, email and website poses a threat, unless proven safe.
Remote Browser Isolation (RBI) is one of the most important tools for Zero Trust protection against phishing. Even if a user clicks on a malicious link in a phishing email, no malware can be installed on the user device or the network. Ericom Software’s RBI includes content disarm and reconstruct (CDR) which sanitizes email attachments and downloads from websites of malicious content before they reach the user device. It also opens suspected phishing sites in read-only mode, preventing users from sharing credentials.
RBI by itself does not protect against all phishing and malware threats. That’s why Ericom Software developed ZTEdge, a comprehensive state-of-the-art Zero Trust cybersecurity platform that integrates RBI with essential security tools such as Zero Trust Network Access and Ransomware Prevention. ZTEdge was specifically designed to meet the needs of enterprises of all sizes, and is available for delivery as a service through leading managed security service providers (MSSPs).
As the new phishing data amply proves, the threat is not disappearing any time soon but is, in fact, spawning new variants that continue to draw in even sophisticated users. Its time to stop relying on user training and to opt for the Zero Trust phishing protection that the ZTEdge platform provides. Contact us now to learn more!
OWASP®, the Open Web Application Security Project®, recently updated their list of the Top 10 Web Application Security Risks. An online community led by the OWASP Foundation, the project was established in 2003 to provide developers and security professionals with resources to help improve web application security. Because virtually every organization today uses web apps, […]
This year’s DBIR confirms that when it comes to data breaches, users are not their employers’ worst enemies, but they may well be their enemies’ best helpers.
Secure Access Service Edge (SASE) and Zero Trust (ZT) security are two of the most important security concepts being talked about in the industry today. Are they the same? Or different? Interrelated in some way?