This post was written with contributions from Stephanie Carruthers, Camille Singleton and Charles DeBeck.

Attackers are known to pore over a company’s website and social channels. Perhaps they spot a mention of an upcoming charity event. Who runs the charity? What does their email signature look like? What’s the color and size of the charity’s logo?

This kind of information is priceless to attackers. From there, attackers can craft a targeted message. They might also follow up with a phone call. Even if the targets have been warned about scams, they might click on something they shouldn’t.

Phishing is the most common way for threat actors to gain access to victims’ networks, according to this year’s IBM Security X-Force Threat Intelligence Index. Approximately 41% of attacks that X-Force remediated last year involved this tactic.

That figure, up from 33% in 2020, accounts for all types of phishing, including mass emails and highly targeted ones. Some of the most advanced cyber threat actors in the world use phishing to deliver ransomware, malware, remote access Trojans or malicious links.

Phishing is number one for a simple reason.

“It works,” said Stephanie Carruthers, a global social engineering expert at IBM Security X-Force Red. Phishing attacks are increasingly sophisticated, with bad actors becoming more organized, innovative and clever about targeting. Carruthers uses intelligence-gathering tricks and tactics in red team attack simulations for IBM clients.

More people fall for these simulations than you might expect. Nearly one in five people click on targeted phishing campaigns from X-Force Red. And when the attack uses a follow-up phone call, one in two people fall prey to the trick.

Phishing has endured since the 1990s despite decades of security advancement. But it’s not because people are gullible, said Camille Singleton, manager of the IBM X-Force Cyber Range Tech Team.

“Threat actors are just really good at this,” she said. “They keep improving their capabilities and offensive tools.”

The following four reasons show why phishing remains a serious threat:

  1. Remote work gives attackers an opening. Companies rely heavily on email in the age of remote and hybrid work, and Carruthers said attackers are sending more emails to exploit this dynamic. Meanwhile, fewer watercooler chats mean fewer opportunities for employees to casually warn each other of a suspicious email that landed in their inboxes.
  2. Cyber criminals are sharpening their tools. Psychological manipulation techniques boost the success rate of phishing attacks. These tactics can be as simple as following up a phishing email with a phone call or text message. When Carruthers and her team add follow-up voice calls to their simulated targeted phishing emails, the click rate rises to a whopping 53.2%. That figure is three times higher than the 17.8% click rate achieved through targeted emails alone. During attack simulations, Carruthers said, “People have even said to me, ‘I thought that email you sent looked suspicious, but thank you so much for calling me.’ People don’t question a friendly voice.”
  3. Black-market groups are getting more professional. Threat actors no longer need a specialized technological skill set, because the black market has evolved to meet demand. Cyber criminals can simply purchase a phishing instruction kit, complete with helpline assistance, on the dark web. “When you think of the dark web, you’d think these criminals would be shady or unorganized,” Carruthers said. “But some operate almost like a professional business.”
  4. Security training isn’t innovative enough. As email scam tactics grow more advanced, security training hasn’t evolved to match the pace of the changes, Carruthers said. Many companies give security training to employees yearly and hope that schedule provides protection. “There hasn’t been a lot of innovation in that space,” she said. “You can patch computers, you can patch servers — but you can’t patch a person.”

To Keep Phishing Emails Out, Build Stronger Nets

A phishing email is just the starting point for a cyberattack. Once inside, threat actors deploy the next stage of an attack, such as ransomware or data theft. Data breaches that stem from phishing scams cost companies an average of $4.65 million, according to the Cost of a Data Breach Report.

Unfortunately, no one tool or solution can prevent all phishing attacks.

“Phishing presents this really interesting intersection of human and technical challenges,” said Charles DeBeck, former senior cyber threat intelligence strategic analyst with IBM Security X-Force. “That’s what makes it so challenging to defend against.”

IBM Security X-Force recommends a layered approach, starting with a security solution to filter out malicious messages. Zero trust security solutions prevent attackers from slipping deeper into the system by continually verifying users’ identities and minimizing the number of people who can gain access to valuable data assets. Techniques like multi-factor authentication help with this verification.

Having a mature zero trust strategy saves money in the event of a breach. On average, organizations with this strategy spend $1.76 million less than those that don’t use zero trust, according to the Cost of a Data Breach Report.

“Whatever you’re using to protect your company, don’t just buy it, plug it in and cross your fingers,” Carruthers cautioned. Regular testing is key.

“Attackers get sophisticated; they learn ways around filters and around all technology,” she added. “So continuing to test them to make sure they’re tuned is incredibly important.”

Lastly, an employee training program with real-world examples is essential. In Carruthers’ experience, the more employees see what damage attackers can cause, the more likely they are to identify and report threats.

Carruthers relates this smart solution from one of her clients: “Every time an employee receives a phishing email, the company takes a screenshot of it and breaks down all the red flags that employees should have spotted.” She said well-trained and vigilant employees can thwart a lot of phishing schemes — including her own.

More from Data Protection

Resilient Companies Have a Disaster Recovery Plan

Historically, disaster recovery (DR) planning focused on protection against unlikely events such as fires, floods and natural disasters. Some companies mistakenly view DR as an insurance policy for which the likelihood of a claim is low. With the current financial and economic pressures, cutting or underfunding DR planning is a tempting prospect for many organizations. That impulse could be costly. Unfortunately, many companies have adopted newer technology delivery models without DR in mind, such as Cloud Infrastructure-as-a-Service (IaaS), Software-as-a-Service (SaaS)…

Millions Lost in Minutes — Mitigating Public-Facing Attacks

In recent years, many high-profile companies have suffered destructive cybersecurity breaches. These public-facing assaults cost organizations millions of dollars in minutes, from stock prices to media partnerships. Fast Company, Rockstar, Uber, Apple and more have all been victims of these costly and embarrassing attacks. The total average cost of a data breach has increased by 2.6% since 2021 and is now $4.35 million. Organizations that don't deploy zero trust security models also incur an average of $1 million more in…

How the Mac OS X Trojan Flashback Changed Cybersecurity

Not so long ago, the Mac was thought to be impervious to viruses. In fact, Apple once stated on its website that "it doesn't get PC viruses". But that was before the Mac OS X Trojan Flashback malware appeared in 2012. Since then, Mac and iPhone security issues have changed dramatically — and so has the security of the entire world. In this post, we'll revisit how the Flashback incident unfolded and how it changed the security landscape forever. What…

How Do Data Breaches Impact Economic Instability?

Geopolitical conflict, inflation, job market pressure, rising debt — we've been hearing about economic headwinds for a while now. Could data breaches have anything to do with this? According to a recent IBM report, the average cost of a data breach has reached an all-time high. Like any other business liability, these costs must be absorbed somehow. Given the rising risk and costs, cyberattacks have undoubtedly evolved into market stressors. The magnitude of the problem might surprise you.  Despite the…