This post was written with contributions from Stephanie Carruthers, Camille Singleton and Charles DeBeck.

Attackers are known to pore over a company’s website and social channels. Perhaps they spot a mention of an upcoming charity event. Who runs the charity? What does their email signature look like? What’s the color and size of the charity’s logo?

This kind of information is priceless to attackers. From there, attackers can craft a targeted message. They might also follow up with a phone call. Even if the targets have been warned about scams, they might click on something they shouldn’t.

Phishing is the most common way for threat actors to gain access to victims’ networks, according to this year’s IBM Security X-Force Threat Intelligence Index. Approximately 41% of attacks that X-Force remediated last year involved this tactic.

That figure, up from 33% in 2020, accounts for all types of phishing, including mass emails and highly targeted ones. Some of the most advanced cyber threat actors in the world use phishing to deliver ransomware, malware, remote access Trojans or malicious links.

Phishing is number one for a simple reason.

“It works,” said Stephanie Carruthers, a global social engineering expert at IBM Security X-Force Red. Phishing attacks are increasingly sophisticated, with bad actors becoming more organized, innovative and clever about targeting. Carruthers uses intelligence-gathering tricks and tactics in red team attack simulations for IBM clients.

More people fall for these simulations than you might expect. Nearly one in five people click on targeted phishing campaigns from X-Force Red. And when the attack uses a follow-up phone call, one in two people fall prey to the trick.

Phishing has endured since the 1990s despite decades of security advancement. But it’s not because people are gullible, said Camille Singleton, manager of the IBM X-Force Cyber Range Tech Team.

“Threat actors are just really good at this,” she said. “They keep improving their capabilities and offensive tools.”

The following four reasons show why phishing remains a serious threat:

  1. Remote work gives attackers an opening. Companies rely heavily on email in the age of remote and hybrid work, and Carruthers said attackers are sending more emails to exploit this dynamic. Meanwhile, fewer watercooler chats mean fewer opportunities for employees to casually warn each other of a suspicious email that landed in their inboxes.
  2. Cyber criminals are sharpening their tools. Psychological manipulation techniques boost the success rate of phishing attacks. These tactics can be as simple as following up a phishing email with a phone call or text message. When Carruthers and her team add follow-up voice calls to their simulated targeted phishing emails, the click rate rises to a whopping 53.2%. That figure is three times higher than the 17.8% click rate achieved through targeted emails alone. During attack simulations, Carruthers said, “People have even said to me, ‘I thought that email you sent looked suspicious, but thank you so much for calling me.’ People don’t question a friendly voice.”
  3. Black-market groups are getting more professional. Threat actors no longer need a specialized technological skill set, because the black market has evolved to meet demand. Cyber criminals can simply purchase a phishing instruction kit, complete with helpline assistance, on the dark web. “When you think of the dark web, you’d think these criminals would be shady or unorganized,” Carruthers said. “But some operate almost like a professional business.”
  4. Security training isn’t innovative enough. As email scam tactics grow more advanced, security training hasn’t evolved to match the pace of the changes, Carruthers said. Many companies give security training to employees yearly and hope that schedule provides protection. “There hasn’t been a lot of innovation in that space,” she said. “You can patch computers, you can patch servers — but you can’t patch a person.”

To Keep Phishing Emails Out, Build Stronger Nets

A phishing email is just the starting point for a cyberattack. Once inside, threat actors deploy the next stage of an attack, such as ransomware or data theft. Data breaches that stem from phishing scams cost companies an average of $4.65 million, according to the Cost of a Data Breach Report.

Unfortunately, no one tool or solution can prevent all phishing attacks.

“Phishing presents this really interesting intersection of human and technical challenges,” said Charles DeBeck, former senior cyber threat intelligence strategic analyst with IBM Security X-Force. “That’s what makes it so challenging to defend against.”

IBM Security X-Force recommends a layered approach, starting with a security solution to filter out malicious messages. Zero trust security solutions prevent attackers from slipping deeper into the system by continually verifying users’ identities and minimizing the number of people who can gain access to valuable data assets. Techniques like multi-factor authentication help with this verification.

Having a mature zero trust strategy saves money in the event of a breach. On average, organizations with this strategy spend $1.76 million less than those that don’t use zero trust, according to the Cost of a Data Breach Report.

“Whatever you’re using to protect your company, don’t just buy it, plug it in and cross your fingers,” Carruthers cautioned. Regular testing is key.

“Attackers get sophisticated; they learn ways around filters and around all technology,” she added. “So continuing to test them to make sure they’re tuned is incredibly important.”

Lastly, an employee training program with real-world examples is essential. In Carruthers’ experience, the more employees see what damage attackers can cause, the more likely they are to identify and report threats.

Carruthers relates this smart solution from one of her clients: “Every time an employee receives a phishing email, the company takes a screenshot of it and breaks down all the red flags that employees should have spotted.” She said well-trained and vigilant employees can thwart a lot of phishing schemes — including her own.

More from Data Protection

Cybersecurity 101: What is Attack Surface Management?

There were over 4,100 publicly disclosed data breaches in 2022, exposing about 22 billion records. Criminals can use stolen data for identity theft, financial fraud or to launch ransomware attacks. While these threats loom large on the horizon, attack surface management (ASM) seeks to combat them.ASM is a cybersecurity approach that continuously monitors an organization’s IT infrastructure to identify and remediate potential points of attack. Here’s how it can give your organization an edge.Understanding Attack Surface ManagementHere are some key…

Six Ways to Secure Your Organization on a Smaller Budget

My LinkedIn feed has been filled with connections announcing they have been laid off and are looking for work. While it seems that no industry has been spared from uncertainty, my feed suggests tech has been hit the hardest. Headlines confirm my anecdotal experience. Many companies must now protect their systems from more sophisticated threats with fewer resources — both human and technical. Cobalt’s 2022 The State of Pentesting Report found that 90% of short-staffed teams are struggling to monitor for…

The Importance of Modern-Day Data Security Platforms

Data is the backbone of businesses and companies everywhere. Data can range from intellectual property to critical business plans to personal health information or even money itself. At the end of the day, businesses are looking to grow revenue, innovate, and operationalize but to do that, they must ensure that they leverage their data first because of how important and valuable it is to their organization. No matter the industry, the need to protect sensitive and personal data should be…

Meeting Today’s Complex Data Privacy Challenges

Pop quiz: Who is responsible for compliance and data privacy in an organization? Is it a) the security department, b) the IT department, c) the legal department, d) the compliance group or e) all of the above? If you answered "all of the above," you are well-versed in the complex world of compliance and data privacy! While compliance is a complex topic, the patchwork of regulations imposed by countries, regions, states and industries further compounds it. This complexity has turned…