Phishing is by far the most common form of cybercrime in 2021. Even though phishing attacks have been plaguing our inboxes since the introduction of email, many people still fall for the promises of Nigerian princes, long-lost relatives, and CEOs handing out vouchers.
What is Phishing?
Phishing is a tactic used by cybercriminals in which hackers try to trick users into handing over sensitive information by pretending to be someone else. The attacker's goal is to get you to click on a malicious phishing link that directs you to a phishing website or download a file. When done successfully, hackers gain access to your information and data. When it comes to these phishing scams, emails are typically sent to a vast number of people and are usually sent at random.
Most of the time, these phishing links are infected with malware, same with the downloadable file. If directed to a fake website, hackers will demand an address, name, social security number, other personal information or get access to your account details. That sensitive data can then be sold on the black market, either for identity theft or fraud. That's why phishing testing services are essential because you want to be 100% sure any files or links used within your business are safe and ready to use.
Now let's take a look at the state of phishing in 2021.
Phishing is a popular attack vector for cybercriminals because, even though the hit rate of these attacks can be relatively low, these campaigns are cheap to run. In addition, all it takes is for one person to fall victim to phishing to cause significant harm to an individual or organization.
This research from Proofpoint also shows that 75% of all organizations experienced a phishing attack in 2020. Even though they found that 95% of businesses claim to deliver phishing training, employees are clearly still falling for these phishing scams.
Hijacking a legitimate user's Software-as-a-Service (SaaS) or webmail account can provide a goldmine of information for cybercriminals. These services both contain valuable information, and by using them to communicate with other users, they can continue their phishing attempts under a trusted username or email address.
The end goal of hackers is often to gain root- or admin-level access to the target system or network, as this gives them the ability to install malware, steal data, or otherwise make changes without notifying other users. With that in mind, it's not surprising that IT professionals are priority targets for phishing attacks.
Even if only one employee falls for a phishing attempt, your business will have to determine what data the cybercriminal was given and what threat that can present to your organization. Not only that, but you'll have to scan your network for malware, push all of your employees to change their passwords, and be on the lookout for follow-up attacks or phishing messages.
Data breaches are a serious threat to any modern business, particularly as an increasing number of companies are storing personally identifiable information (PII) about their customers on their servers.
Given that data breaches can cost companies millions of dollars, their reputation, and damage that's irreparable for years to come, tackling phishing attacks is the best way to protect your company.
Emails impersonating notifications from LinkedIn are the most successful social media phishing attacks and are clicked an astounding three times more than fake Twitter or Facebook emails. There's no apparent reason why they're so successful, but it's clear that we need to educate employees about the prevalence of these phishing messages.
Even though only 20% of employees will click a link on a phishing email, research shows that once an email has a user hooked, two out of every three will give up their information to the fake website. This goes to show that the phishing training we deliver to employees needs a significant amount of improvement.
While the common narrative is that phishing emails are sent to as many recipients as possible, new research shows that cybercriminals focus on specific, high-value targets. This is known as spear phishing. Spear phishing emails are designed from the ground up with a single recipient in mind. Once the email is sent, spear phishing works just like phishing. The person is expected to click on a link, and once they do, they are directed to a phishing website where their personal information will be stolen.
Both spear phishing and phishing are very dangerous for any business or even a regular computer user. Most cybercrime gangs focus on this method as their primary attack vector over malware or web server exploits, so all employees need to be taught how to recognize a targeted spear phishing attack.
A phishing attack often results in millions of dollars worth of damage due to stolen data, fraud, and fines. With businesses worldwide losing so much money every minute to cybercrime, it's clear that we need to do more to protect ourselves to avoid falling victim to a phishing scam.
Phishing in 2021: In Summary
Phishing is quickly becoming the most popular attack vector, particularly against high-level and valuable targets. Now more than ever, it's vital to invest in a tailored phishing awareness training course that teaches your employees how to recognize regular and targeted phishing attacks. To keep your business safe from these phishing attacks, ensure your team is educated on what links should be clicked, what's dangerous, how to identify a phishing attempt, and how to verify a legitimate site. You can also install security software on all your company's computers to ensure personal details and company information is kept safe. This will help immensely and ensure that you can prevent any possible problems when it comes to phishing emails.
Remember, your employees are your first line of defense against cybercrime, so it's up to you to teach, empower, and strengthen their resolve against the resurgence of phishing attacks.