Why phishing is still the top attack method

This post was written with contributions from Stephanie Carruthers, Camille Singleton and Charles DeBeck.

Attackers are known to pore over a company’s website and social channels. Perhaps they spot a mention of an upcoming charity event. Who runs the charity? What does their email signature look like? What’s the color and size of the charity’s logo?

This kind of information is priceless to attackers. From there, attackers can craft a targeted message. They might also follow up with a phone call. Even if the targets have been warned about scams, they might click on something they shouldn’t.

Phishing is the most common way for threat actors to gain access to victims’ networks, according to this year’s IBM Security X-Force Threat Intelligence Index. Approximately 41% of attacks that X-Force remediated last year involved this tactic.

That figure, up from 33% in 2020, accounts for all types of phishing, including mass emails and highly targeted ones. Some of the most advanced cyber threat actors in the world use phishing to deliver ransomware, malware, remote access Trojans or malicious links.

Phishing is number one for a simple reason.

“It works,” said Stephanie Carruthers, a global social engineering expert at IBM Security X-Force Red. Phishing attacks are increasingly sophisticated, with bad actors becoming more organized, innovative and clever about targeting. Carruthers uses intelligence-gathering tricks and tactics in red team attack simulations for IBM clients.

More people fall for these simulations than you might expect. Nearly one in five people click on targeted phishing campaigns from X-Force Red. And when the attack uses a follow-up phone call, one in two people fall prey to the trick.

Phishing has endured since the 1990s despite decades of security advancement. But it’s not because people are gullible, said Camille Singleton, manager of the IBM X-Force Cyber Range Tech Team.

“Threat actors are just really good at this,” she said. “They keep improving their capabilities and offensive tools.”

The following four reasons show why phishing remains a serious threat:

1. Remote work gives attackers an opening. Companies rely heavily on email in the age of remote and hybrid work, and Carruthers said attackers are sending more emails to exploit this dynamic. Meanwhile, fewer watercooler chats mean fewer opportunities for employees to casually warn each other of a suspicious email that landed in their inboxes.
2. Cyber criminals are sharpening their tools. Psychological manipulation techniques boost the success rate of phishing attacks. These tactics can be as simple as following up a phishing email with a phone call or text message. When Carruthers and her team add follow-up voice calls to their simulated targeted phishing emails, the click rate rises to a whopping 53.2%. That figure is three times higher than the 17.8% click rate achieved through targeted emails alone. During attack simulations, Carruthers said, “People have even said to me, ‘I thought that email you sent looked suspicious, but thank you so much for calling me.’ People don’t question a friendly voice.”
3. Black-market groups are getting more professional. Threat actors no longer need a specialized technological skill set, because the black market has evolved to meet demand. Cyber criminals can simply purchase a phishing instruction kit, complete with helpline assistance, on the dark web. “When you think of the dark web, you’d think these criminals would be shady or unorganized,” Carruthers said. “But some operate almost like a professional business.”
4. Security training isn’t innovative enough. As email scam tactics grow more advanced, security training hasn’t evolved to match the pace of the changes, Carruthers said. Many companies give security training to employees yearly and hope that schedule provides protection. “There hasn’t been a lot of innovation in that space,” she said. “You can patch computers, you can patch servers — but you can’t patch a person.”

A phishing email is just the starting point for a cyberattack. Once inside, threat actors deploy the next stage of an attack, such as ransomware or data theft. Data breaches that stem from phishing scams cost companies an average of USD 4.65 million, according to the Cost of a Data Breach Report.

Unfortunately, no one tool or solution can prevent all phishing attacks.

“Phishing presents this really interesting intersection of human and technical challenges,” said Charles DeBeck, former senior cyber threat intelligence strategic analyst with IBM Security X-Force. “That’s what makes it so challenging to defend against.”

IBM Security X-Force recommends a layered approach, starting with a security solution to filter out malicious messages. Zero trust security solutions prevent attackers from slipping deeper into the system by continually verifying users’ identities and minimizing the number of people who can gain access to valuable data assets. Techniques like multi-factor authentication help with this verification.

Having a mature zero trust strategy saves money in the event of a breach. On average, organizations with this strategy spend USD 1.76 million less than those that don’t use zero trust, according to the Cost of a Data Breach Report.

“Whatever you’re using to protect your company, don’t just buy it, plug it in and cross your fingers,” Carruthers cautioned. Regular testing is key.

“Attackers get sophisticated; they learn ways around filters and around all technology,” she added. “So continuing to test them to make sure they’re tuned is incredibly important.”

Lastly, an employee training program with real-world examples is essential. In Carruthers’ experience, the more employees see what damage attackers can cause, the more likely they are to identify and report threats.

Carruthers relates this smart solution from one of her clients: “Every time an employee receives a phishing email, the company takes a screenshot of it and breaks down all the red flags that employees should have spotted.” She said well-trained and vigilant employees can thwart a lot of phishing schemes — including her own.