August 10, 2022

Email Phishing in 2022 is Worse Than You Thought

Email-based attacks have been a primary compromise for enterprises since email became widely used. While it initially started as a way to deliver malware to sabotage or deface corporate assets, attackers quickly realized that there was more to gain. When access credentials were within reach, along with payment card data and valuable ID data, email attacks morphed into email phishing attacks.

Phishing is best defined as attempting to gain access to information or credentials from end users by posing as a potentially legitimate source of email or call. An email phishing attack is often accomplished by mimicking, spoofing, or domain squatting to make an email origination address appear from a legitimate source, like Microsoft or AWS. The attacker hopes the user will click on a link in the email and either provide credentials or download an attached malware.

The downloading of malware can give the attacker a small foothold in the network that they will continue to escalate or pivot to move through the network without notice. Once inside, the attacker can attain sensitive information or deploy something much more nefarious, like ransomware.

Email Phishing is Back

Because email phishing has been around for a while, many assume it is less of a threat now than it once was. The opposite is true. Like anything else in cybersecurity, the battle against email phishing is a cat and mouse game, where the defenders almost always react to the attackers. As cybersecurity teams, tools, and research groups identify patterns to help defend an organization, attackers pivot to evade that defense, coming up with new attack methods.

There has been a resurgence in phishing attacks in recent years. Many tools, including G-suite and O365, offer resources to help mitigate the risk of a phishing attack. These tools are great at catching low-tech, mass phishing campaigns through machine learning and herd knowledge, but they are not bulletproof. Attackers have become more sophisticated, with techniques that can evade initial detection from these tools, leaving employees on the front line to defend the enterprise. The only real way for organizations to protect themselves is to ensure that end users are fully educated and pay close attention to every email coming in.

Understanding the Impact

As organizations have improved security posture and prevention capabilities, attackers have become harder to access. Because of this, the attackers have pivoted back to utilizing phishing as the primary mode of entry into organizations.

According to the Ponemon 2021 Phishing Study, organizations’ average cost of phishing has increased nearly 5x since 2015. Further, loss of productivity has doubled in that same time for employees. Productivity loss could result from credentials being locked, systems needing to be reimaged, or users not being able to work during the investigation.

With the largest cost being the work required to recover and redeploy the assets of affected users, there is an increasing cost as employees move to a more remote posture.

When Security Awareness Isn’t Enough

To combat email phishing scams, many companies have security awareness training that guides employees on detecting and avoiding common attacks. But evidence of its effectiveness is mixed. Surveys show that many employees don’t give security training sessions their full attention. Further, long sessions can breed frustration and negative associations with the methods required for security.

Studies have shown that training must be short and regular to be effective. Because phishing attacks rapidly improve, employees must practice detecting the most up-to-date scams. But even while this is known, many organizations lack the incentive or the budget to invest in the high level of awareness training necessary to reduce their overall risk.

The Best Defense

The problem of email phishing is not going away. How can individuals and companies protect themselves from phishing attacks? Far from a simple solution, the best defense is a multi-pronged approach.

To start, enterprises need to implement tools to help detect and remove phishing attacks easily identified from inboxes. This method is effective because it reduces the possibility of human error. Even if security training is lacking, an organization can survive an attack if it never reaches an employee’s inbox.

The next step is to implement a robust training and education program for employees on how to identify and report phishing attacks. The latter is critical and easily overlooked. Having an active feedback loop so the organization can review failed phishing attempts can help I.T steel the network against similar attacks in the future. Employee security training should involve presentations and hands-on practice through simulation.

Organizations must explain that simulated phishing training is not meant to catch an individual but to help them understand how to identify phishing and to continue to hone their security skills. Lastly, an organization should look to implement additional response tools and protocols that involve monitoring user activity.

What’s Next for Phishing?

As organizations improve tools, prevention, and detection capabilities, we will continue to see attackers evolve. We expect to see more low-tech, shotgun phishing campaigns from organizations hoping to slip through detection and catch just one individual.

However, it is more likely that attackers will pivot to meet a new wave of tactics and technology. This evolution is happening now. More and more phishing attacks are coming in via SMS text (Smishing) to bypass corporate controls. According to cybersecurity advisory Network Assured, we will also see higher utilization of open-source intelligence to mimic trusted vendors or even to compromise a vendor to allow attacks to be launched against their clients.

No matter the current trend of attacks, it can be assumed that phishing will remain one of the largest initial compromise vectors for attackers.

About the author 

Peter Hatch

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}