“Phishing and malware will also continue to be relentless threats, leveraged by both cybercriminals and APT actors that require organizations to address the inadvertent actor risk.” — 2019 IBM X-Force Threat Intelligence Index Report

The stronger our technical defenses become, the more threat actors look to target the human dimension of security. Just how susceptible are people to phishing and spear phishing? Recent statistics from numerous sources point to an increase in the level of phishing activity and sophistication, as well as a heightened impact on organizations in terms of money stolen, data held for ransom and intellectual property pilfered.

This is no time for organizations to be complacent about this form of social engineering, as the stakes are high, and technology-based controls can only get us so far.

A Thriving Phishing Industry

Judging by the amount of activity, the phishing industry is a thriving business. In their latest report covering Q3 2019, the Anti-Phishing Working Group (APWG) labeled this period as “the worst period for phishing that the APWG has seen in three years.” For each month from July to September 2019, they reported over 80,000 phishing sites, with three-quarters of all attacks targeting just three industry sectors: SaaS/webmail (33 percent), payment industry (21 percent) and financial institutions (19 percent).

From a global law enforcement perspective, Europol recently released a report focused on spear phishing that noted how “spear phishing is still one of the most common and most dangerous attack vectors.” The report further detailed how one organized criminal group caused over 1 billion dollars in losses to the financial services industry by leveraging spear phishing as part of their activities to move money via ATM withdrawals and wire transfers.

Like the APWG’s statistics, Europol’s findings show that the number of phishing websites has reached new record levels. Europol noted that 65 percent of targeted attacks involved spear phishing as the primary infection vector. With regard to cyber espionage, phishing was used in 78 percent of cases.

Phishing Pairs With Business Email Compromise

Because phishing is a means to an end, one common follow-up that’s often observed alongside a phishing campaign is business email compromise (BEC). If BEC attacks have been getting a lot more coverage in 2019, it’s because there has been an uptick in activity and in losses reported by businesses and individuals.

In September 2019, the FBI issued a rare warning about BEC attacks via its IC3 reporting center. In the release, titled “Business Email Compromise: The $26 Billion Scam,” the FBI shared sobering statistics about just how effective BEC fraud has become. From 2013 to 2019, the FBI reported nearly 70,000 American victims, totaling over 10 billion dollars in losses for the U.S. alone. Globally, there were over 150,000 victims, with more than 26 billion dollars at stake.

BEC attacks often involve tricking the victim into transferring funds to accounts under attackers’ control, and fraudsters have three main vehicles for “cashing out” in this way. As the APWG noted, the preferred method was to ask for gift cards (56 percent), with another 25 percent moving funds via payroll diversion and 19 percent via direct transfers. However, attackers leveraging wire transfers were able to move substantially more money ($52,325 on average) compared to those choosing the gift card route, who averaged just $1,571.

Security Awareness Isn’t Enough

There is a running theme in the reports from the APWG and Europol and the warnings from the FBI/IC3: Take phishing seriously and review your preparations now. Europol warns that there is a wealth of at-risk information online about organizations and specific employees, such as top-level managers and finance or payroll staff. This information enables highly effective spear phishing attacks that can result in “much greater damage overall.” According to Europol, “one successful attempt can be enough to compromise a whole organization.”

To avoid raising suspicion and increase their chance of success, spear phishing campaigns tend to seek critical information related to three key aspects of a target organization:

  • The structure of the organization — who works where and to whom they report
  • The various tools, skills and knowledge bases staff use routinely
  • The processes in place at that particular organization or location

Extensive use of job advertising sites and social media platforms by organizations and employees alike can make the process of assembling this information much easier and faster than it would have been just a decade ago.

Beyond Awareness: Security and HR Must Work Together

As phishers up their game in terms of both the frequency and capabilities of their attacks, HR and organizations’ security functions must work together to achieve more than awareness. But much of the advice which was common as recently as five years ago is no longer sufficient. For example, the APWG reported that by the end of 2019, 68 percent of all phishing sites used SSL protection — up from around 10 percent in Q1 2017 — so telling users to look for SSL/TLS visual clues in websites is no longer an effective strategy by itself.

Some key recommendations from the Europol report are as follows:

  • Review your organization’s social engineering footprint, especially on the topics of structure, processes and software. For example, the website Hunter.io provides the general format of email addresses for a given organization. Since an email address usually represents half of the credentials one would need to authenticate (with a password representing the other), it’s important to remind users about good password hygiene and safe surfing/clicking. For example, one phishing campaign used fake unusual sign-in activity notifications to get users to share their legitimate credentials.
  • Europol has indicated that many organizations are simply unprepared to investigate spear phishing and BEC incidents adequately. Top leadership should encourage the development and refining of dedicated incident response and investigation processes for phishing and BEC incidents.
  • Organizations should also conduct a yearly review of controls and processes to get assurances of their effectiveness. Such reviews must address the human dimension of security with tailored security awareness campaigns and phishing tests as well as a review of technology controls and response processes. According to IBM Security, “routinely providing employee education and test campaigns with updated phishing techniques used by attackers can help mitigate these threats.” For example, you could test employees with a fake performance appraisal attachment or a privacy policy annual review. This would also present a good opportunity to review data backup and restoration capabilities, given the many ransomware incidents that plagued companies and government targets in 2019.
  • Implement best practices for responding to Office 365 phishing. Since many organizations have moved their email and office applications to Office 365, they should also ensure that they have configured effective preventive and detective controls by deploying multifactor authentication (MFA), mailbox auditing and log preservation. There must also be a system in place to respond to unusual activity.

Email and social media keep us connected to our friends, families, employers and favorite brands. However, they are also a portal through which attackers can take advantage of our human nature. Organizations and individuals must remain vigilant for spear phishing and BEC attacks by combining awareness with robust security controls and processes that boost overall cyber resilience.

More from Risk Management

Detecting Insider Threats: Leverage User Behavior Analytics

3 min read - Employees often play an unwitting role in many security incidents, from accidental data breaches to intentional malicious attacks. Unfortunately, most organizations don’t have the right protocols and processes to identify potential risks posed by their workforce. Based on a survey conducted by SANS Institute, 35% of respondents said they lack visibility into insider threats, while 30% said the inability to audit user access is a security blind spot in their organizations. In addition, the 2023 X-Force Threat Intelligence Index reported that…

3 min read

Increasingly Sophisticated Cyberattacks Target Healthcare

4 min read - It’s rare to see 100% agreement on a survey. But Porter Research found consensus from business leaders across the provider, payer and pharmaceutical/life sciences industries. Every single person agreed that “growing hacker sophistication” is the primary driver behind the increase in ransomware attacks. In response to the findings, the American Hospital Association told Porter Research, “Not only are cyber criminals more organized than they were in the past, but they are often more skilled and sophisticated.” Although not unanimous, the…

4 min read

Machine Learning Applications in the Cybersecurity Space

3 min read - Machine learning is one of the hottest areas in data science. This subset of artificial intelligence allows a system to learn from data and make accurate predictions, identify anomalies or make recommendations using different techniques. Machine learning techniques extract information from vast amounts of data and transform it into valuable business knowledge. While most industries use these techniques, they are especially prominent in the finance, marketing, healthcare, retail and cybersecurity sectors. Machine learning can also address new cyber threats. There…

3 min read

Now Social Engineering Attackers Have AI. Do You? 

4 min read - Everybody in tech is talking about ChatGPT, the AI-based chatbot from Open AI that writes convincing prose and usable code. The trouble is malicious cyber attackers can use generative AI tools like ChatGPT to craft convincing prose and usable code just like everybody else. How does this powerful new category of tools affect the ability of criminals to launch cyberattacks, including social engineering attacks? When Every Social Engineering Attack Uses Perfect English ChatGPT is a public tool based on a…

4 min read