The frequency of phishing attacks
Phishing is a huge threat and growing more widespread every year. In 2021 Tessian research found that employees receive an average of 14 malicious emails per year. Some industries were hit particularly hard, with retail workers receiving an average of 49. ESET’s 2021 research found a 7.3% increase in email-based attacks between May and August 2021, the majority of which were part of phishing campaigns.
And 2021 research from IBM confirmed this trend, citing a 2 percentage-point rise in phishing attacks between 2019 and 2020, partly driven by COVID-19 and supply chain uncertainty. CISCO’s 2021 Cybersecurity threat trends report suggests that at least one person clicked a phishing link in around 86% of organizations. The company’s data suggests that phishing accounts for around 90% of data breaches.
There’s an uneven distribution in phishing attacks throughout the year. Cisco found that phishing tends to peak around holiday times, finding that phishing attacks soared by 52% in December. We’ve written about a similar phenomenon that typically occurs around Black Friday.
How phishing attacks are delivered
96% of phishing attacks arrive by email. Another 3% are carried out through malicious websites and just 1% via phone. When it’s done over the telephone, we call it vishing and when it’s done via text message, we call it smishing. The increase in phishing attacks means email communications networks are now riddled with cybercrime. Symantec research suggests that throughout 2020, 1 in every 4,200 emails was a phishing email.
When it comes to targeted attacks, 65% of active groups relied on spear phishing as the primary infection vector. This is followed by watering hole websites (23%), trojanized software updates (5%), web server exploits (2%), and data storage devices (1%).
The most common subject lines
According to Symantec’s 2019 Internet Security Threat Report (ISTR), the top five subject lines for business email compromise (BEC) attacks:
-
Urgent
-
Request
-
Important
-
Payment
-
Attention
Analysis of real-world phishing emails revealed these to be the most common subject lines in Q4, 2020:
- IT: Annual Asset Inventory
- Changes to your health benefits
- Twitter: Security alert: new or unusual Twitter login
- Amazon: Action Required | Your Amazon Prime Membership has been declined
- Zoom: Scheduled Meeting Error
- Google Pay: Payment sent
- Stimulus Cancellation Request Approved
- Microsoft 365: Action needed: update the address for your Xbox Game Pass for Console subscription
- RingCentral is coming!
- Workday: Reminder: Important Security Upgrade Required
Research from Cofense suggests phishing emails are slightly more like to contain a link to a malicious website (38%) than a malicious attachment (36%).
The most common malicious attachments
2021 Tessian research suggests that PDFs are the most common type of malicious file attached with phishing emails. This trusted and versatile file format can be used to hide phishing links, run JavaScript, and deliver fraudulent invoices.
SonicWall’s 2021 Cyber Threat report suggests that there was a huge jump in the number of malicious PDFs and Microsoft Office files (sent via email) between 2018 and 2020. Workers are particularly likely to click these trusted formats. The volume of malicious Office and PDF files did start to dip in 2021, however, as some workers returned to working in the office.
However, it’s important to note—as users become more wary of opening suspicious-looking files—that many malicious emails don’t contain an attachment. In fact, 2021 Tessian research found that 76% of malicious emails did not contain an attachment.
The data that’s compromised in phishing attacks
The top three “types” of data that are compromised in a phishing attack are:
- Credentials (passwords, usernames, pin numbers)
- Personal data (name, address, email address)
- Medical (treatment information, insurance claims)
When asked about the impact of successful phishing attacks, security leaders cited the following consequences:
- 60% of organizations lost data
- 52% of organizations had credentials or accounts compromised
- 47% of organizations were infected with ransomware
- 29% of organizations were infected with malware
- 18% of organizations experienced financial losses
The cost of a breach
In 2021, RiskIQ estimated that businesses worldwide lose $1,797,945 per minute due to cybercrime—and that the average breach costs a company $7.2 per minute. IBM’s 2021 research into the cost of a data breach ranks the causes of data breaches according to the level of costs they impose on businesses.
Phishing ranks as the second most expensive cause of data breaches—a breach caused by phishing costs businesses an average of $4.65 million, according to IBM. And Business Email Compromise (BEC)—a type of phishing whereby the attackers hijack or spoof a legitimate corporate email account—ranks at number one, costing businesses an average of $5.01 million per breach.
That’s not the only way phishing can lead to a costly breach—attacks using compromised credentials were ranked as the fifth most costly cause of a data breach (averaging $4.37 million). And how do credentials get compromised? More often than not, due to phishing.
On the plus side, IBM found that businesses with AI-based security solutions experienced a significant reduction in the costs associated with a data breach. In fact, AI security solutions were found to be the biggest factor in cutting breach costs, from $6.71 million to $2.90 million.
According to Verizon, organizations also see a 5% drop in stock price in the 6 months following a breach. Losses from business email compromise (BEC) have skyrocketed over the last year. The FBI’s Internet Crime Report shows that in 2020, BEC scammers made over $1.8 billion – far more than via any other type of cybercrime.
And, this number is only increasing. According to the Anti-Phishing Working Group’s Phishing Activity Trends Report, the average wire-transfer loss from BEC attacks in the second quarter of 2020 was $80,183. This is up from $54,000 in the first quarter.
This cost can be broken down into several different categories, including:
-
Lost hours from employees
-
Remediation
-
Incident response
-
Damaged reputation
-
Lost intellectual property
-
Direct monetary losses
-
Compliance fines
-
Lost revenue
-
Legal fees
Costs associated remediation generally account for the largest chunk of the total. Importantly, these costs can be mitigated by cybersecurity policies, procedures, technology, and training. Artificial Intelligence platforms can save organizations $8.97 per record.
The most targeted industries
CISCO’s 2021 data suggests that financial services firms are the most likely to be targeted by phishing attacks, having been targeted by 60% more phishing attacks than the next-highest sector (which CISCO identifies as higher education). Tessian’s 2021 research suggests workers in the following industries received a particularly large quantity of malicious emails:
- Retail (an average of 49 malicious emails per worker, per year)
- Manufacturing (31)
- Food and beverage (22)
- Research and development (16)
- Tech (14)
Phishing by country
Not all countries and regions are impacted by phishing to the same extent, or in the same way. Here are some statistics from another source showing the percentage of companies that experienced a successful phishing attack in 2020, by country:
- United States: 74%
- United Kingdom: 66%
- Australia: 60%
- Japan: 56%
- Spain: 51%
- France: 48%
- Germany: 47%
Phishing awareness also varies geographically. Here’s the percentage of people who correctly answered the question: “What is phishing?”, by country:
- United Kingdom: 69%
- Australia: 66%
- Japan: 66%
- Germany: 64%
- France: 63%
- Spain: 63%
- United States: 52%
As you can see, there’s no direct correlation between phishing awareness and phishing susceptibility, which is why security training isn’t enough to prevent cybercrime.
The most impersonated brands
2021 Tessian research found these to be the most commonly impersonated brands in phishing attacks:
-
Microsoft
-
ADP
-
Amazon
-
Adobe Sign
-
Zoom
The common factor between all of these consumer brands? They’re trusted and frequently communicate with their customers via email. Whether we’re asked to confirm credit card details, our home address, or our password, we often think nothing of it and willingly hand over this sensitive information. But it’s not just consumer brands that scammers impersonate. Public bodies are also commonly mimicked in phishing scams.
Between August 2020 and July 2021, the UK’s tax authority (HMRC) reported:
- Over than 450 COVID-19-related financial support scams
- More than one million reports of “suspicious contact” (namely, phishing attempts)
- More than 13,000 malicious web pages (used as part of phishing attacks)
The rates of phishing and other scams reported by HMRC more than doubled in this period.
Facts and figures related to COVID-19 scams
Phishing scammers had a field day exploiting the fear and uncertainty that arose as a result of COVID-19. Crowdstrike identified the following most common themes among COVID-related phishing emails
- Exploitation of individuals looking for details on disease tracking, testing and treatment
- Impersonation of medical bodies, including the World Health Organization (WHO) and U.S. Centers for Disease Control and Prevention (CDC)
- Financial assistance and government stimulus packages
- Tailored attacks against employees working from home
- Scams offering personal protective equipment (PPE)
- Passing mention of COVID-19 within previously used phishing lure content (e.g., deliveries, invoices and purchase orders)
And the COVID phishing surge is far from over. In December 2021, the US Federal Trade Commission (FTC) launched a new rule-making initiative aiming to combat the tidal wave of COVID scams, having received 12,491 complaints of government impersonation and 8,794 complaints of business impersonation related to the pandemic.
Phishing and the future of work
The move to remote work has presented many challenges to business—and the increased range, frequency, and probability of security incidents are among the most serious. New working habits have contributed to the recent surge in phishing because IT teams have less oversight over how colleagues are using their devices and can struggle to provide support when things go wrong.
According to Microsoft’s New Future of Work Report:
- 80% of security professionals surveyed said they had encountered increased security threats since the shift to remote work began.
- Of these, 62% said phishing campaigns had increased more than any other type of threat.
- Employees said they believed IT departments would be able to mitigate these phishing attacks if they had been working in the office
Furthermore, an August 2021 survey conducted by Palo Alto Networks found that:
- 35% of companies reported that their employees either circumvented or disabled remote security measures
- Workers at organizations that lacked effective remote collaboration tools were more than eight times as likely to report high levels of security evasion
- 83% of companies with relaxed bring-your-own-device (BYOD) usage led to increased security issue
What can individuals and organizations do to prevent being targeted by phishing attacks?
While you can’t stop hackers from sending phishing or spear phishing emails, you can make sure you (and your employees) are prepared if and when one is received.
You should start with training. Educate employees about the key characteristics of a phishing email and remind them to be scrupulous and inspect emails, attachments, and links before taking any further action.
- Review the email address of senders and look out for impersonations of trusted brands or people (Check out our blog CEO Fraud Email Attacks: How to Recognize & Block Emails that Impersonate Executives for more information.)
- Always inspect URLs in emails for legitimacy by hovering over them before clicking
- Beware of URL redirects and pay attention to subtle differences in website content
- Genuine brands and professionals generally won’t ask you to reply divulging sensitive personal information. If you’ve been prompted to, investigate and contact the brand or person directly, rather than hitting reply
But, humans shouldn’t be the last line of defense. That’s why organizations need to invest in technology and other solutions to prevent successful phishing attacks. But, given the frequency of attacks year-on-year, it’s clear that spam filters, antivirus software, and other legacy security solutions aren’t enough.
That’s where Tessian comes in. By learning from historical email data, Tessian’s machine learning algorithms can understand specific user relationships and the context behind each email. This allows Tessian Defender to not only detect, but also prevent a wide range of impersonations, spanning more obvious, payload-based attacks to subtle, social-engineered ones.