Through 2020 and 2021, organisations have had a double-whammy to contend with when it comes to cyber threats. With staff working remotely, they have less oversight. Yet, the activity of hackers and cyber criminals has stepped up a gear.
According to Proofpoint - a leading cybersecurity company who provide software & products to help enhance and protect business security - and their State of the Phish 2022 report, reports of phishing attacks were up across the board. Here in the UK, 91 percent of organisations reported being subject to a phishing attack last year.
Inevitably, “bulk” phishing attacks are most common. This approach continues to be exploited by hackers. The number reported in 2021 was up 12 percent on 2020 figures.
Other types of phishing attacks are also on the rise. Spear phishing attacks (more targeted email phishing attacks in which cyber criminals profile and target key leaders within an organisation) were up 20 percent last year.
Another type of targeted attack saw a similar increase. Business email compromise (which includes payroll redirect and supplier invoicing fraud attempts) was up by 18 percent.
While email remains the most common attack vector, SMS and voice smishing are on the rise. Furthermore, phishing attempts that use social media to research and target victims are also increasing. Globally, 74 percent of organisations reported social-media-based attacks in 2021.
While COVID-19 and pandemic-related topics are on the wane, the changes wrought by the pandemic continue to influence the lines of attack.
Proofpoint’s research shows that many phishing attempts used lures associated with current trends. For example, in 2021 this included: streaming shows such as Squid Game; pop-culture events such as a Justin Bieber world tour; economic issues.
One recovery-themed phishing campaign was based around the premise of cancelling a fake streaming service, luring victims to cancel non-existent subscriptions.
Another emerging trend was telephone-oriented attacks. This type of attack invites email recipients to call a support line for help to cancel or update a service or request a refund. This attack preys on the notion that calling a support line and talking to a real person seems like a relatively “safe” option.
Worryingly, some eighty percent of organisations reported a successful email-based phishing attack in 2021. That success rate is a 46% jump on the 2020 figure.
However, the results of the successful attacks were variable. There was actually a two percent drop in email-based ransomware infections from the previous year – and a six percent drop in financial loss.
Nevertheless, the figures are concerning.
The first line of defence in any anti-phishing strategy has to be your email gateway. Email analysis and detection tools continue to improve. Around the world they stop millions of fraudulent and phishing emails every day.
That said, some phishing emails will inevitably get through.
That makes the best line of defence in your anti-phishing strategy your people. Staff cyber security awareness training to help them understand how to spot malicious emails and phishing attempts, to understand what to do when they spot a suspect email, and to raise awareness more generally about the cyber security protections that need to be considered when working at home, are all important.
If you don’t currently have staff training in place to help employees identify and deal with phishing attempts, malicious emails and cyber security threats more generally, Grant McGregor can help. Please reach out to our team today for more information.
Remote working creates a number of new risks. First and most obvious is the possibility of accessing work networks on unsecured devices. Hopefully, most organisations will have long-since addressed this risk by issuing remote-working staff with properly managed corporate laptops or tablets on which to work and connect.
The possibility of other family members using these devices to connect to insecure platforms, websites or email accounts persists, however. Managing the devices with the right policies via a mobile device management tool such as Microsoft Endpoint Manager, Intune and Autopilot will help to mitigate this risk.
However, staff training about the appropriate use of devices remains essential.
The changed environment creates another risk factor. We are likely to be less guarded when working at home. Further, with the lines blurring between home and work life, many staff are tired and burnt out. This isn’t conducive to making the best decisions, including around cyber security.
Getting the culture around hybrid working right is something many organisations are continuing to grapple with. Emphasising the need to have separate devices for work and home content is one security step. Emphasising the need for a clear delineation of work time and downtime is less easy – but just as important. Even something as simple as mandating that you can’t schedule Teams meetings back-to-back (to allow for quiet reflection time between calls) can help.
More than 30 percent of staff think that when an email contains a familiar logo it means the content is safe. This is especially worrying because the first half of 2021 saw a rise in attacks that tried to exploit Microsoft and Google brands.
Training must raise awareness of current and active threats like this. But it must also deal with the general principles of email good practice. Cybercriminals are going to disguise who they are. Staff need to be on alert!
As well as directly covering the threats associated with email-based phishing (including warning signs and how to spot them), training needs to cover associated topics, such as: malware; Wi-Fi security; ransomware; mobile devices security; password best practices; internet safety; best practices for remote working; and what to do when you spot something suspicious.
Investing in good quality – and regular – staff cyber security awareness training doesn’t just benefit your organisation by reducing the likelihood of a cyber attack being successful.
It’s also great for your staff too – because, in today’s world, cyber security skills are life skills, not just work skills.
Please reach out to our team if you need more information or advice on any of the topics covered in this blog.
You can reach us on: 0808 164 4142
Further reading
You can also find more cyber security information on our blog. Catch up with these recent posts:
• Help! I’ve received a suspicious email! What should I do?
• The New Password Rules: 2022 Update
• How to implement multi-factor authentication
• And China: the new security risk?