This post was written with contributions from Stephanie Carruthers, Camille Singleton and Charles DeBeck.

Attackers are known to pore over a company’s website and social channels. Perhaps they spot a mention of an upcoming charity event. Who runs the charity? What does their email signature look like? What’s the color and size of the charity’s logo?

This kind of information is priceless to attackers. From there, attackers can craft a targeted message. They might also follow up with a phone call. Even if the targets have been warned about scams, they might click on something they shouldn’t.

Phishing is the most common way for threat actors to gain access to victims’ networks, according to this year’s IBM Security X-Force Threat Intelligence Index. Approximately 41% of attacks that X-Force remediated last year involved this tactic.

That figure, up from 33% in 2020, accounts for all types of phishing, including mass emails and highly targeted ones. Some of the most advanced cyber threat actors in the world use phishing to deliver ransomware, malware, remote access Trojans or malicious links.

Phishing is number one for a simple reason.

“It works,” said Stephanie Carruthers, a global social engineering expert at IBM Security X-Force Red. Phishing attacks are increasingly sophisticated, with bad actors becoming more organized, innovative and clever about targeting. Carruthers uses intelligence-gathering tricks and tactics in red team attack simulations for IBM clients.

More people fall for these simulations than you might expect. Nearly one in five people click on targeted phishing campaigns from X-Force Red. And when the attack uses a follow-up phone call, one in two people fall prey to the trick.

Phishing has endured since the 1990s despite decades of security advancement. But it’s not because people are gullible, said Camille Singleton, manager of the IBM X-Force Cyber Range Tech Team.

“Threat actors are just really good at this,” she said. “They keep improving their capabilities and offensive tools.”

The following four reasons show why phishing remains a serious threat:

  1. Remote work gives attackers an opening. Companies rely heavily on email in the age of remote and hybrid work, and Carruthers said attackers are sending more emails to exploit this dynamic. Meanwhile, fewer watercooler chats mean fewer opportunities for employees to casually warn each other of a suspicious email that landed in their inboxes.
  2. Cyber criminals are sharpening their tools. Psychological manipulation techniques boost the success rate of phishing attacks. These tactics can be as simple as following up a phishing email with a phone call or text message. When Carruthers and her team add follow-up voice calls to their simulated targeted phishing emails, the click rate rises to a whopping 53.2%. That figure is three times higher than the 17.8% click rate achieved through targeted emails alone. During attack simulations, Carruthers said, “People have even said to me, ‘I thought that email you sent looked suspicious, but thank you so much for calling me.’ People don’t question a friendly voice.”
  3. Black-market groups are getting more professional. Threat actors no longer need a specialized technological skill set, because the black market has evolved to meet demand. Cyber criminals can simply purchase a phishing instruction kit, complete with helpline assistance, on the dark web. “When you think of the dark web, you’d think these criminals would be shady or unorganized,” Carruthers said. “But some operate almost like a professional business.”
  4. Security training isn’t innovative enough. As email scam tactics grow more advanced, security training hasn’t evolved to match the pace of the changes, Carruthers said. Many companies give security training to employees yearly and hope that schedule provides protection. “There hasn’t been a lot of innovation in that space,” she said. “You can patch computers, you can patch servers — but you can’t patch a person.”

To keep phishing emails out, build stronger nets

A phishing email is just the starting point for a cyberattack. Once inside, threat actors deploy the next stage of an attack, such as ransomware or data theft. Data breaches that stem from phishing scams cost companies an average of $4.65 million, according to the Cost of a Data Breach Report.

Unfortunately, no one tool or solution can prevent all phishing attacks.

“Phishing presents this really interesting intersection of human and technical challenges,” said Charles DeBeck, former senior cyber threat intelligence strategic analyst with IBM Security X-Force. “That’s what makes it so challenging to defend against.”

IBM Security X-Force recommends a layered approach, starting with a security solution to filter out malicious messages. Zero trust security solutions prevent attackers from slipping deeper into the system by continually verifying users’ identities and minimizing the number of people who can gain access to valuable data assets. Techniques like multi-factor authentication help with this verification.

Having a mature zero trust strategy saves money in the event of a breach. On average, organizations with this strategy spend $1.76 million less than those that don’t use zero trust, according to the Cost of a Data Breach Report.

“Whatever you’re using to protect your company, don’t just buy it, plug it in and cross your fingers,” Carruthers cautioned. Regular testing is key.

“Attackers get sophisticated; they learn ways around filters and around all technology,” she added. “So continuing to test them to make sure they’re tuned is incredibly important.”

Lastly, an employee training program with real-world examples is essential. In Carruthers’ experience, the more employees see what damage attackers can cause, the more likely they are to identify and report threats.

Carruthers relates this smart solution from one of her clients: “Every time an employee receives a phishing email, the company takes a screenshot of it and breaks down all the red flags that employees should have spotted.” She said well-trained and vigilant employees can thwart a lot of phishing schemes — including her own.

More from Data Protection

Cost of a data breach: Cost savings with law enforcement involvement

3 min read - For those working in the information security and cybersecurity industries, the technical impacts of a data breach are generally understood. But for those outside of these technical functions, such as executives, operators and business support functions, “explaining” the real impact of a breach can be difficult. Therefore, explaining impacts in terms of quantifiable financial figures and other simple metrics creates a relatively level playing field for most stakeholders, including law enforcement.IBM’s 2024 Cost of a Data Breach (“CODB”) Report helps…

Cost of data breaches: The business case for security AI and automation

3 min read - As Yogi Berra said, “It’s déjà vu all over again.” If the idea of the global average costs of data breaches rising year over year feels like more of the same, that's because it is. Data protection solutions get better, but so do threat actors. The other broken record is the underuse or misuse of technologies that can help safeguard data, such as artificial intelligence and automation.IBM’s 2024 Cost of a Data Breach (CODB) Report studied 604 organizations across 17…

Cost of a data breach: The industrial sector

2 min read - Industrial organizations recently received a report card on their performance regarding data breach costs. And there’s plenty of room for improvement.According to the 2024 IBM Cost of a Data Breach (CODB) report, the average total cost of a data breach in the industrial sector was $5.56 million. This reflects an 18% increase for the sector compared to 2023.These figures place the industrial sector in third place for breach costs among the 17 industries studied. On average, data breaches cost industrial…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today