Cyber security update: 2023’s phishing tactics

Since the pandemic, email use has been rising rapidly. With more email use, comes greater risk of email-borne cyber threat. This article explores the latest research into phishing activity to help you be prepared and minimise the phishing risk to your organisation.

Mimecast’s The State of Email Security 2023 report posits that cyber risk now commands the C-Suite’s attention. Seventy-six percent of those surveyed expect an email-borne attack will have serious consequences for their organisations in the coming year. 

This awareness is good news for cyber security leaders – provided that the C-Suite focus is accompanied with investment and resources.

Yet, the same report also highlights that the majority of data breaches can be tracked back to human error. By some estimates, 97 percent of users can’t recognise a crude phishing email when they receive one. C-Suite focus doesn’t automatically translate into wider staff understanding.

Email threats are on the rise

What does this mean for your cyber security policies? And, in particular, what does it mean for dealing with the threat of email-based attacks, including phishing? 

Mimecast says email remains the primary route of attack. With 82 percent of companies reporting a higher volume of email compared with the previous year, the risk is growing. Note that this builds on 79 percent reporting a rise in 2021 and 81 percent reporting a rise in 2020.

Unfortunately, this rise in email communications does directly translate into more email-based threats. According to the 2023 Mimecast survey, 74 percent of organisations have seen the number of malicious emails rise over the last year. When it comes to phishing specifically, 71 percent of large enterprises reported a significant rise in phishing attempts. This compares against 59 percent of smaller organisations reporting a significant rise in phishing.

Even for those not reporting a rise, such attacks remain widespread. Ninety-seven percent of respondents to the Mimecast survey said that their organisation had been the target of a phishing attack in the last year. In fact, it is estimated that 90 percent of corporate security breaches are the result of phishing.

Some tried and tested methods of attack continue

Similarly, Proofpoint has warned of ongoing developments in the threat landscape. The security software vendor has investigated how attack chains have become more varied and delivery mechanisms are being rapidly tested and discarded. In its The Human Factor 2023 report, it warns that threat actors have begun to match their ingenuity to new-found patience.

The Proofpoint report warns that abusing our trust in familiar brands remains one of the cyber criminals’ favourite tactics.  Its research shows that the top five abused and impersonated brands are: Microsoft 365, Microsoft Outlook, Amazon, Microsoft Excel Online and Microsoft SharePoint.

This impersonation tactic follows through to phishing attempts carried out on mobile phones (also known as “smishing”). Smishing activity tends to focus on package delivery notifications, with malicious actors impersonating delivery groups and ecommerce brands. This is a growing problem. Proofpoint reports that conversational attacks via mobile devices saw a twelve percent increase last year. 

Protecting yourself against phishing activity

Given the astonishing statistic around the lack of ability of staff to recognise a crude phishing email, it is clear that staff email security awareness training that focuses on helping people to recognise a phishing attempt remains worth investing in. This training needs to be regularly repeated and refreshed.

The Mimecast survey highlights respondents’ fears that they are well enough equipped to deal with the threat. It says 94 percent of respondents thought additional security measures are needed to supplement their Google Workspace or Microsoft 365 platforms’ native security functions.

While the native tools in Microsoft 365 might not be enough on their own, the other security tools within your Microsoft Enterprise licensing agreement should be enough to strengthen your security posture significantly. In addition to fine-tuning your email security policies, this includes deploying other security options, including multi-factor authentication tools, Microsoft Defender and setting appropriately tough policies in Autopilot, InTune and Security Centre.

What next?

If you need help to strengthen your email security policies or configurations, please reach out to the Grant McGregor team.

Similarly, if you would like to find out more about the cyber security awareness training we offer which can help you staff to learn how to recognise phishing attempts, please see more here: https://www.grantmcgregor.co.uk/cyber-security/safer-people 

For additional help or advice, get in touch.

Call us: 0808 164 4142

Message us: https://www.grantmcgregor.co.uk/contact-us 

Further reading

You can find more ideas and advice about cyber security elsewhere on the Grant McGregor blog, including our latest articles published for October's Cybersecurity Awareness Month 2023:

• What can we learn from the NCSC’s sixth Active Cyber Defence report?
• What do we know about the Electoral Commission data breach? And what can we learn from it?
• Update yourself on the latest thinking about ransomware
• The problem of shadow IT – and how to get the human factor right in cyber security
• New changes to Cyber Essentials for 2023
• What is a watering hole attack? And how can you protect against it?
• Do your backups include this important information?
• Tips for successfully implementing a zero-trust approach to cyber security