Phishing has long been an infection vector of choice for threat actors, and for good reason — it is relatively easy, inexpensive and consistently successful. In 2018 and 2019, attackers used phishing as an entry point for one-third of all attacks tracked by IBM X-Force Incident Response and Intelligence Services (IRIS) — the most commonly used of all known attack vectors.

Phishers prey on human emotion and the urge to act on written words, and since phishing is so ubiquitous in our work environments, it is a constant threat. Even as training for employees and end users improves, so do the tactics of threat actors crafting and deploying phishing emails. Their ability to create authentic-looking emails with believable logos, letterheads, wording and topics of interest to the target audience continues to fool even the most security-savvy users into opening an attachment or clicking on a malicious link.

Many advanced persistent threat (APT) groups use phishing as a means of delivering malware, remote access Trojans (RATs) or malicious links to recipients. These groups are some of the most advanced cyberthreat actors in the world, underscoring the reliability of, and risk from, phishing as an attack vector. IBM X-Force IRIS has found that 84 percent of the APT groups we track use spear phishing as a primary infection vector. Of those, 68 percent appear to use it as their only infection vector, according to information from our ongoing analyses.

To explore the current state of phishing against enterprise networks, this blog will pair the perspectives of X-Force IRIS, our front-line response and intelligence teams, and X-Force Red, our team of veteran hackers who are hired to run phishing attacks against real organizations, to present new data and analysis. While the plague of phishing is unlikely to wane in the near future, having current data on the severity of the problem and a few remediation measures in one’s back pocket can assist organizations in addressing risks more effectively.

View From the Front Line: Phishing Still a Top Entry Point

X-Force IRIS assists clients in responding to cyberattacks and data breaches on a daily basis, from forensic research to in-depth intelligence, giving our team a front-row perspective of the types of attacks organizations face and how threat actors most likely found a way inside.

According to X-Force IRIS data, phishing attacks are the most common known attack vector for malicious cyber actors who target organizations. Phishing attacks are also the phase that occurs at a critical juncture in the X-Force IRIS Cyber Preparation and Attack Frameworks, a model we use to assess threat actors’ activity. In the “Launch Attack” phase, phishing is the critical bottleneck that, if successfully defended against, can make a substantial difference in the risk and impact the organization may face.

Figure 1: IBM X-Force IRIS Cyberattack Preparation and Execution Framework

In 2019, nearly one-third (31 percent) of all cyber incidents we investigated had a known infection vector that could be traced back to a malicious email or phishing attack. Use of stolen credentials — which could have been obtained through a variety of methods, including phishing — came in at a close second, at 29 percent.

In addition, of all the organizational phishing attacks X-Force IRIS has observed since June 2018, 42 percent involved business email compromise (BEC), a type of spear phishing where attackers hijack a business email account and use this access to persuade employees to send money or information to the attackers. BEC fraud is one of the most damaging spear phishing attacks that an organization can suffer, costing companies a total of more than $26 billion worldwide as of September 2019, according to the FBI.

View From the Red Line: Focus on Incident Response

X-Force Red is IBM’s autonomous team of veteran hackers, hired to break into organizations and uncover risky vulnerabilities that criminal attackers may use for personal gain. X-Force Red’s mission is hacking anything to secure everything (people included). And phishing is one of the top ways our team hacks people, as well as one of the most popular assessments we can conduct in the social engineering practice. Phishing is thus something our hackers are very familiar with performing and often rely on to find a way into an organization.

Statistics gathered from our X-Force Red engagements from September 2018 to September 2019 indicate that, on average, 26.5 percent of recipients to whom we sent a malicious email clicked on a link contained in that email. In addition, the same data shows that, virtually without fail, at least one recipient would interact with our test phishing campaign every time. This means that within our data set, phishing was always a successful entry point whenever used. These findings suggest that beyond employee education, we should focus the security team’s priorities on response, rather than prevention.

When it comes to conducting phishing assessments, our team of hackers spend more time gathering open-source intelligence (OSINT) than actually attacking. The more we are able to understand about our target’s environment, and what would appear credible to them in an email message, the better we are able to craft a custom-tailored and convincing phish that’s likely to be opened.

View From the Spam Traps: Additional X-Force Data

In addition to data from X-Force IRIS and X-Force Red, our team has access to additional information that lends insight into the current state of phishing attacks today. IBM X-Force runs a network of spam traps that give us insight into spam and phishing emails that are most prevalent. Notably in 2019, spam email commonly appeared to come from large technology or social media companies. By spoofing email addresses and URLs and creating fake webpages, spammers and phishers are able to request legitimate credentials that they can then use to gain unauthorized access to accounts or email.

Quad9 data also indicates that the majority of suspect DNS requests last year directed users to spam sites — making up 69 percent of all suspect DNS requests in 2019. That means that if a user clicks on a malicious link, that link was most likely attempting to send the user to a spam site, as opposed to a malware-laden website or other malicious URL.

Resisting the Phish, Responding to Compromise

Phishing attacks are unlikely to abate in the foreseeable future, so focusing on resilience in the face of such attacks is as important as focusing on prevention. The following tips can assist your organization in identifying ways to strengthen both prevention and resilience and decrease the chances that an attacker will use phishing to obtain a critical foothold in your systems.

Threat Prevention Tips

While phishing can be a cunning adversary, some points can help keep it at bay:

  • Are employees over-sharing online? People working for your organization could be over-sharing information on the internet, both from an organizational and a personal standpoint. Inform employees about the risk associated with these activities. The most successful attackers spend significant time researching their targets by looking into their online footprint and then use this information to create highly customized messages, making them more likely to succeed.
  • Keep tabs on your typo-squatted domains. A typo-squatted domain looks very similar to the domain an organization uses, but it is slightly altered by swapping characters, for example, turning a small “L” into a capital “i.” Sometimes vowels switch location, characters are omitted and other tricks are used to make our eyes read a believable domain name. Most people overlook these small changes, and attackers know it. Organizations should check to see if any typo-squatted domains are attempting to impersonate theirs. If any are found, it is wise to proactively purchase them so attackers cannot. If the typo-squatted domain is already registered to another person, it is recommended to block those domains from communicating with your networks.
  • Test employees regularly. While it’s great to train employees on how to spot phishing emails, security teams should also provide the opportunity to spot and report suspicious emails through regular test campaigns.
  • Routinely provide role-based employee education with updated phishing techniques used by attackers — some of the intelligence in this blog may be helpful in crafting training with up-to-date information. Warn employees to be aware of emails that create a sense of urgency or come from an external address.
  • Implement email banners that will flag messages coming from outside the organization to allow employees to identify potentially fake CEO or CFO emails.
  • Disable the ability to launch macros from an email attachment.
  • Use email security controls to flag potentially malicious emails coming from blacklisted domains, emails containing disabled attachments or emails from typo-squatted domains.
  • Use a layered approach to security and consider including behavioral analysis. A layered approach is more likely to detect threats such as zero-day malware, and adding behavioral components is easy with an advanced user behavior analytics (UBA) solution to help detect suspicious internal activity via your company’s security information and event management (SIEM) solution.

Expect Trouble and Respond Effectively

Since someone is bound to click on a malicious link or attachment, organizations must place added focus on response and assume that user devices can and will be compromised. That is why it is important to:

  • Limit user privileges attributed to each user group so that each employee can only access what is needed for their actual work.
  • Ensure proper adaptation of security technology and procedures to detect endpoint compromise.
  • Review network segmentation to effectively limit moving from one area to another.
  • Have an incident response and management plan in place for scenarios big and small.

Download the latest X-Force Threat Intelligence Index

Learn more about IBM Security X-Force’s threat intelligence and incident response services.

More from Threat Intelligence

Hive0051 goes all in with a triple threat

13 min read - As of April 2024, IBM X-Force is tracking new waves of Russian state-sponsored Hive0051 (aka UAC-0010, Gamaredon) activity featuring new iterations of Gamma malware first observed in November 2023. These discoveries follow late October 2023 findings, detailing Hive0051's use of a novel multi-channel method of rapidly rotating C2 infrastructure (DNS Fluxing) to deliver new Gamma malware variants, facilitating more than a thousand infections in a single day. An examination of a sample of the lures associated with the ongoing activity reveals…

Ongoing ITG05 operations leverage evolving malware arsenal in global campaigns

13 min read - As of March 2024, X-Force is tracking multiple ongoing ITG05 phishing campaigns featuring lure documents crafted to imitate authentic documents of government and non-governmental organizations (NGOs) in Europe, the South Caucasus, Central Asia, and North and South America. The uncovered lures include a mixture of internal and publicly available documents, as well as possible actor-generated documents associated with finance, critical infrastructure, executive engagements, cyber security, maritime security, healthcare, business, and defense industrial production. Beginning in November 2023, X-Force observed ITG05…

CVE-2023-20078 technical analysis: Identifying and triggering a command injection vulnerability in Cisco IP phones

7 min read - CVE-2023-20078 catalogs an unauthenticated command injection vulnerability in the web-based management interface of Cisco 6800, 7800, and 8800 Series IP Phones with Multiplatform Firmware installed; however, limited technical analysis is publicly available. This article presents my findings while researching this vulnerability. In the end, the reader should be equipped with the information necessary to understand and trigger this vulnerability.Vulnerability detailsThe following Cisco Security Advisory (Cisco IP Phone 6800, 7800, and 8800 Series Web UI Vulnerabilities - Cisco) details CVE-2023-20078 and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today