Security researchers detected an increase in both phishing campaigns and brute force attacks in the first half of 2021.

Vendor and Business Email Compromise Attempts Also Up

According to Abnormal Security, the volume of brute force attacks grew by 160% starting in May 2021 and ending in mid-June. This means that brute force attacks targeted 26% of all organizations per week on average during that period — more than double the rate (10%) for a typical week.

Some weeks registered a higher volume of attacks than others. In particular, the rate of attacks for the week of June 6 shot up 671% over the previous week’s average. Subsequently, nearly a third of all organizations found themselves targeted by brute force attacks that week.

Credential phishing attempts also increased in H1 2021. They rose from two-thirds of advanced attacks in Q4 2020 to more than 73% of attempts in Q2 2021.

Such growth highlights the fact that digital criminals can use a compromised email account to conduct secondary attacks. That threat includes vendor email compromise as well. In this case, attackers seize a vendor account and inject themselves into an ongoing email conversation. Then, they use that access to send fraudulent invoices or banking details under their control.

These types of attacks rose for the fourth consecutive quarter in Q2 2021.

And then there are business email compromise scams. This type of attack grew from 0.2 campaigns per 1,000 mailboxes at the beginning of the year to 0.41 campaigns by the end of June.

The Growing Speed of Phishing Attacks

The findings discussed above highlight the extent to which phishing attacks have become easier and cheaper to conduct.

No wonder then that the average phishing attack lasts an average of 21 hours. That breaks down to nine hours from when the first victim visits the campaign’s malicious domain to when the first detection comes in. After that, it’s another seven hours before detection rates of the phishing site peak. Another five hours account for the time where victims receive the link and browse the site.

At the same time, it doesn’t cost attackers all that much to conduct a phishing attack. They can purchase an email list between $50 and $500 on a dark web marketplace, for instance. Once they’ve bought it, they can then use the same list to launch other attacks.

How to Protect Against Phishing and Brute Force Attacks 

Organizations can protect themselves against credential phishing and brute force attack campaigns by cultivating a culture of cyber awareness. Specifically, they can use threat intelligence to educate their employees about some of the most recent phishing attacks targeting users. It’s important to use phishing simulations as part of this process. That way, you can test employees’ knowledge and provide follow-up learning modules where needed.

At the same time, organizations need to implement technical controls designed to safeguard their authorized accounts. They can do this by putting multi-factor authentication in place to prevent a set of compromised credentials from translating into a successful account takeover. They can also leverage single sign-on to reduce the pressure for employees to remember too many passwords for too many web accounts.

More from News

Securing critical infrastructure with the carrot and stick

4 min read - It wasn’t long ago that cybersecurity was a fringe topic of interest. Now, headline-making breaches impact large numbers of everyday citizens. Entire cities find themselves under cyberattack. In a short time, cyber has taken an important place in the national discourse. Today, governments, regulatory agencies and companies must work together to confront this growing threat. So how is the federal government bolstering security for critical infrastructure? It looks like they are using a carrot-and-stick approach. Back in March 2022, the…

650,000 cyber jobs are now vacant: How to tackle the risk

4 min read - How far is the United States behind in filing cybersecurity jobs? As per Rep. Andrew Garbarino, R-N.Y., Chairman of the HHS Cybersecurity and Infrastructure Protection Subcommittee, overseas adversaries have a workforce advantage over FBI cyber personnel of 50 to one. His statements were made during a recent subcommittee hearing titled “Growing the National Cybersecurity Talent Pipeline.” Meanwhile, recent CyberSeek data shows over 650,000 cyber jobs to fill nationwide. Given the rising rate of cyberattacks, these numbers are truly alarming. How…

Will data backups save you from ransomware? Think again

4 min read - Backups are an essential part of any solid anti-ransomware strategy. In fact, research shows that the median recovery cost for ransomware victims that used backups is half the cost incurred by those that paid the ransom. But not all data backup approaches are created equal. A separate report found that in 93% of ransomware incidents, threat actors actively target backup repositories. This results in 75% of victims losing at least some of their backups during the attack, and more than…

Should you worry about state-sponsored attacks? Maybe not.

4 min read - More than ever, state-sponsored cyber threats worry security professionals. In fact, nation-state activity alerts increased against critical infrastructure from 20% to 40% from 2021 to 2022, according to a recent Microsoft Digital Defense Report. With the advent of the hybrid war in Ukraine, nation-state actors are launching increasingly sophisticated attacks. But is this the most prominent danger facing companies today? While nation-state-based attacks cannot be ignored, it looks like insider cyber incidents are far more common. In fact, for the…