Study: 9 of 10 Cyberattacks Start With a Phishing Email
Often the most heinous security breaches are deceptively simple and low-tech. In the enterprise world, for instance, the top cause of cyberattacks — by a wide margin — is the humble, yet dangerous phishing email.
According to The 2016 Enterprise Phishing Susceptibility and Resiliency Report from security provider PhishMe, a whopping 91 percent of cyberattacks start with a phishing email. As Dark Reading reports, the top five reasons people are tricked by these emails are rooted in basic human emotions. They include:
- Curiosity (13.7 percent).
- Fear (13.4 percent).
- Urgency (13.2 percent).
- Reward/Recognition (12.9 percent).
- Social Connection (11.8 percent).
As the PhishMe report notes, phishing remains the number-one attack vector for a very simple reason: It works. That’s bad news for enterprises, which must implement behavior-modification programs to thwart attacks that target ever-unreliable human behavior.
“Attackers are crafty and have many different tactics to entice a person to click or open an attachment,” the report notes. “How is the executive assistant to the CEO supposed to recognize a phishing email if they have not seen that tactic used?”
Companies Make Good Targets for a Phishing Email
Not only is enterprise phishing a big hit among cyberattackers, it’s gaining in popularity. This year brought a 55-percent increase in spear phishing campaigns, a 400-percent rise in ransomware attacks, and a soaring 1,300-percent boost in business email compromise (BEC) loses, the PhishMe study found.
The report examined data samples from 1,000+ PhishMe customers who sent more than 40 million simulation emails from January 2015 through July 2016. Its findings share common ground with an April 2016 security study from Verizon, which found the number of opened phishing emails in enterprises reached 30 percent this year, up from 23 percent in 2015.
Triggering an Emotional Reaction
Large organizations, which typically have sizable numbers of workers filling diverse roles, are prime targets for attackers intent on gaining access to sensitive company data. Again, phishing is a great foot in the door, as employees — particularly those susceptible to emotional triggers — might not be focused on email security.
Fear is a powerful motivator, which explains why phishing attempts with the themes “Office Communications” and “Finance/Contracts” had the highest susceptibility rates this year, with 19.9 and 18.6 percent, respectively, PhishMe found.
As with last year’s PhishMe report, the 2016 study showed that business context/communication scenarios make more effective phishing emails than, say, less work-related themes. “This points to the need to fully understand and baseline your own internal communication standards to provide guidance to your users in the detection of malicious phishing attempts,” the report advised.
A Company’s Plan of Attack
This phishing situation isn’t all gloom and doom for enterprises, however, provided they implement an effective anti-phishing effort that identifies existing threats, implements a phishing simulation program and conditions employees to recognize and report suspicious, phishing-like activities. This approach can improve an organization’s overall resiliency and significantly reduce the average time for breach detection from 146 days to a mere 1.2 hours.