Five lessons everyone needs to learn about phishing attacks

Despite the cliche image of the hooded hacker ensconced in an underground base, furiously breaking through firewalls and other digital security mechanisms, the reality of cybercrime is often much less dramatic. The vast majority of cyberattacks rely on some form of digital communication, such as email or texts, which contain malicious content. Once opened, this content allows the attacker to access secure systems, steal money and identities, and so on.

This broad category of cyberattack is known as social engineering – the deception and manipulation of human beings in an effort to convince them to willingly provide sensitive information or click on a corrupt link. And among all the forms of social engineering out there, phishing is by far the most common. Phishing functions exactly as its name implies: cybercriminals send malware to an account in the form of an email attachment or a link to a compromised website, and once they “catch” a victim, they gain access to private accounts.

Considering the ubiquity of phishing attacks, any cybersecurity platform has to put them front and center. With that in mind, here are the top five things you need to know about phishing.

1. Phishing is the most common cyberattack.

According to the FBI, there were more than 241,000 reported victims of phishing in 2020 – a number that’s almost two and a half times larger than the second-most-frequent type of attack. There are several reasons phishing is one of cybercriminals’ go-to tactics: first, the barriers to entry are low, as phishing doesn’t require much technical expertise. Second, phishing works, costing people tens of millions of dollars every year. And third, phishing allows cybercriminals to attack a large number of targets at once.

Many victims of cyberattacks don’t report these crimes to the FBI or any other agency, so the number cited above is almost certainly a significant underestimate.

2. Phishing attacks exploded during COVID-19.

The COVID-19 pandemic was a bonanza for cybercriminals. Millions of people suddenly lost their jobs, misinformation became rampant, and fear surged as the virus rapidly spread around the world – an ideal environment for scammers to hook victims with fake government alerts and health information, fraudulent offers of remote work, and even requests for donations to phony healthcare charities. A study by F5 Labs found that phishing attacks increased by 220 percent as anxiety about the pandemic reached its peak.

The influx of phishing attacks amid the pandemic is a reminder that cybercriminals are always adapting to new circumstances. Phishing is an especially versatile type of cyberattack, which means employees should always be on their guard – especially during a crisis like COVID-19 or an economic downturn.

3. Employees are especially susceptible to phishing attacks.

One of the reasons phishing is such a pervasive and destructive type of cyberattack is the fact that it exploits universal psychological vulnerabilities. A 2017 study of phishing attacks found that the email subject lines which convinced victims to click were often coercive, such as (ironically) “Official Data Breach Notification,” “Your Password Expires in Less Than 24 Hours,” and “Please Read Important from Human Resources.” Cybercriminals who launch phishing attacks frequently attempt to intimidate victims by speaking from a position of authority or presenting themselves as representatives of a legitimate entity. F5 Labs found that 55 percent of phishing sites used recognizable brand names and identities in their URLs.

These are all reminders that cybercriminals know which psychological buttons to push, which is why it’s no surprise that phishing attacks work over and over again.

4. Phishing attacks are often successful.

When PwC ran a simulated phishing attack on financial institutions, 70 percent of the emails were delivered, and 7 percent of users clicked on the malicious links. Considering the fact that it only takes a single breach for a cybercriminal to steal sensitive information, leak or sell that information, and cause irreparable harm to a company’s reputation, this proportion is far too high. According to Verizon’s most recent Data Breach Investigations Report, phishing was involved in a quarter of all breaches in 2019 – a proportion that shot up to 36 percent last year.

IBM reports that the average cost of a data breach is $3.86 million, while it typically takes 280 days to identify and contain these breaches. It has never been clearer that companies need to teach their employees how to spot and prevent phishing attacks.

5. Phishing attacks can be prevented.

Despite the fact that phishing attacks seem to be rising inexorably, there are plenty companies can do to avoid becoming victims. When employees are taught which warning signs to look for, they’re capable of recognizing when an email or any other digital communication is likely a phishing attack. When the Department of Homeland Security audited one of our clients (which provided employees with cybersecurity awareness training since 2016), it launched a simulated phishing attack to see how employees would respond. While 600 employees were tested, only one fell for the attack.

What makes phishing so attractive to cybercriminals is its accessibility – anyone can send a fraudulent email. Although some of these emails contain malware, many simply ask directly for login credentials or sensitive account information. This is a reminder that the first and last line of defense against phishing is always employees themselves.

ON DEMAND: In this webinar, Regina Lester, Vice President of Security & Safety Operations at Toledo Zoo, will share her insights on implementing security technologies in the entertainment sector and the challenges all organizations face — large and small — when it comes to balancing budget and security.