2018 Plagued With Phishing Attacks

As 2019 gets off to a promising start with plenty of new ideas in the cybersecurity space for the year ahead, we reflect back on 2018.

Phishing attacks have long been a problem, but they continued to grow to higher numbers in 2018. However, the goal of these attacks looks a little different than they have in the past. Phishing attacks typically have the aim of infecting the recipient’s computer with malware. The function of the malware can be varied, however that has been the overall goal of these attacks since their inception.

In 2018, it looks like phishing attacks were increasingly conducted with the goal of collecting credentials from the victims.

Cybersecurity company, Proofpoint, released a report earlier this week which analyzed the data from tens of millions of phishing emails sent globally between Oct. 2017 and Sept. 2018.

Key Findings from the Report

• Overall, 83 percent of global infosecurity respondents experienced phishing attacks in 2018, up from 76 percent in 2017.
• Nearly 60 percent saw an increase in employee detection following security awareness training
• More organizations were affected by all types of social engineering attacks (phishing, spear phishing, SMS phishing, voice phishing, and USB drops) year over year.
• For the first time, compromised accounts bypassed malware infections as the most commonly identified impact of successful phishing attacks
• Baby boomers outperformed all other age groups in fundamental phishing and ransomware knowledge

The last point is an interesting one that runs contrary to what most people would assume. There is an assumption that younger people are more knowledgeable with tech and hence would be more likely to identify a cybersecurity threat. It appears this is not the case, and that companies should ensure their younger workforce is also up to date with cybersecurity training.

Phishing attacks tend to use links to lure the victim onto a page where they submit their credentials. The Proofpoint report found that 69 percent of phishing attacks use a link, while 17 percent use a direct data entry format and 14 percent use an attachment.

The most successful campaigns involved toll violation notifications, updated building evacuation plans, a note requiring invoice payment, or a request to change a password. These types of phishing emails tend to be successful because they appear to be mundane and something they recipient is used to seeing, and they also require a sense of urgency which encourages people to act quickly.

“Email is the top cyberattack vector, and today’s cybercriminals are persistently targeting high-value individuals who have privileged access or handle sensitive data within an organization,” said Joe Ferrara, general manager of Security Awareness Training for Proofpoint. “As these threats grow in scope and sophistication, it is critical that organizations prioritize security awareness training to educate employees about cybersecurity best practices and establish a people-centric strategy to defend against threat actors’ unwavering focus on compromising end users.”

Although phishing attacks are on the rise, so is cybersecurity awareness and investment within businesses. Companies are spending more money on training their employees to detect a threat and more money on security with the aim of blocking phishing emails from getting through in the first place.