Area 1 Security published the results of “It Started Out With A Phish,” a new study analyzing over 31 million threats across multiple organizations and industries, with new findings and warnings issued by technical experts that every organization should be aware of. 

A key aspect to preventing attacks is having a deep understanding of cyber actor patterns and continuously monitoring and deconstructing campaigns to anticipate future ones. Phishing can be a profitable business model, and most breaches begin with a phishing email. What appears to be an innocent email from a trusted vendor or internal department can lead to firm-wide shutdowns, loss of crucial data, and millions in financial costs. 

As detailed in the report, threats ranging from ransomware, credential harvesters to difficult-to-discover but costly business email compromise (BEC) targeted inboxes, could have resulted in over $354 million in direct losses had they been successful. Unfortunately, organizations that failed to take the proper protective measures to safeguard their organizations became all too familiar with the unfortunate and costly lessons these innocuous-looking phish presented, as supply chains and critical infrastructure came under attack within the US. 

Key findings include:

• Nearly 9% of attacks used identity deception tactics such as spoofing, domain impersonation and display name impersonation. Other top tactics included credential harvesters (9.33%), compromised links (8.96%) and attachments (3.31%); 
• Just 10 brands accounted for over 56% of all spoof- and impersonation-based phishing attacks, with the World Health Organization (WHO), Google and Microsoft positioned as the top three most impersonated;
• In some cases, these spoofed emails hid BEC attacks, which represented the most significant financial damage despite low volume (1.3% of threats). On average, BEC requests sought $1.5 million—with the median being $260K;
• Despite organizations’ attempts to negate risks through end-user training, more than 92% of user-reported phish were entirely benign spam or bulk mail, flooding IT teams with thousands of false alarms.

While employees meant well with their reports, the real dangers often slipped undetected past outdated defense systems and looked legitimate enough to put even the most heightened guards at ease. For example, more than half a million threats were missed by email authentication (DMARC, SPF, DKIM) and legacy defense systems, which could have caused millions in disruptions and financial loss without interception.

“Cyber campaigns continue to be a tool for waging war against corporations, theft of intellectual property, and massive financial and data loss,” said Patrick Sweeney, CEO at Area 1 Security. “Our research found that security awareness training is only beneficial from an educational perspective but not effective in stopping threats. Around 92% of user-reported phish are not malicious and actually benign, spam, or bulk mail, which often delays IT teams from discovering and stopping actual threats. The only solution is a preemptive, cloud-based, email security solution that prevents the phish from even hitting the inboxes.”

Area 1 Security’s recommendations for effectively defending against cloud email threats include:

• Locking down identity: Secure accounts and identities by adding additional protection like multi-factor authentication (MFA). Never reuse passwords and always change default passwords.
• Establish protocols and procedures against financial fraud: Establish and train on procedures to prevent financial loss in the case of BEC and financial fraud, such as requiring multiple approvers or “out-of-band” vendor verifications for transferring funds to new accounts. Also, train them on what to do in case they fall for the phish.
• Take a zero-trust approach with email: It’s imperative to verify all communication that happens within email. Remove implicit trust by assessing the validity of messages beyond the sender to reduce risk from compromised partners. Choose a security system that can detect compromises and apply controls around compromised communications to extend zero-trust to email.

To learn more, download the “It Started Out With A Phish” report here.