Every successful phishing campaign costs the average company $1.6 million, and they are only getting smarter, more sophisticated, and more targeted.
It is estimated that the global rate of phishing attacks levied against the enterprise rose 65 percent in the last year alone, and as they become harder to separate from legitimate messages, it is critical that companies train their staff to both detect and report them -- rather than fall for such schemes.
On Thursday, enterprise phishing detection and training provider PhishMe released its third annual Enterprise Susceptibility and Resiliency Report, which suggests that corporations are becoming better at unmasking these threats -- but there is still a long way to go.
There is only so far network security solutions and scans can go when defending clients against phishing campaigns. As they target the human, and emotive responses, the success lies in duping the victim into believing such messages are legitimate, in order to send them to malicious websites or to download malicious attachments.
The report, based on millions of emails sent for analysis and over 1,400 customers in 23 industries and in over 50 countries, says that everyone can have a bad day and fall for such schemes, but on the whole, susceptibility rates are declining, due to improved training and education.
According to the company, in 2015, the average firm was susceptible to 14.1 percent of phishing attacks. In 2017, this dropped to roughly 10.8 percent.
"A mature conditioning program will provide ongoing, immersive training that is targeted, specific and increasingly difficult," PhishMe says. "Simulations should progress over time to challenge employees and keep them aware of emerging threats."
When cyberattackers use an emotional response as bait, the range of phishing emails is vast -- from apparent prizes and money transfers to messages which appear as formal complaints.
The days are gone when phishing emails were linked mainly to the Spanish lottery or lost relatives abroad willing to give you millions of dollars; instead, fraudsters use a vast array of emails designed to elicit panic and shatter reason in the moment to boost susceptibility rates.
Within the report, the company included data on the different threat verticals facing today's enterprise players.
Below are the most common, grouped by industry:
Over the past three years, reporting rates have managed to climb to 20.7 percent, in comparison to 13.8 percent in 2015. It may not seem like much, but as enterprise employees become more aware of the threats lurking in their inbox, every attack recognized and reported is important.
PhishMe says that despite complex and evolving phishing campaigns, companies are getting better at fending off such attacks across all industries -- although there is still work to be done.
The report says:
"While the capacity of each organization is different, it's important that anti-phishing programs stay as active as possible. This is particularly true when it comes to developing recognition and reporting of active threat models.
As with susceptibility and reporting, resiliency is improving throughout major industries. Education is the exception. Possible reasons: tighter security budgets compared to other industries, lack of central control and typically open environments that encourage users to "bring your own device.""
In the first eight months of 2017, over 216,000 emails were reported as sent through phishing campaigns, 15 percent of which deemed malicious -- the rest being only spam or non-malicious messages.
In total, business email compromise (BEC) accounted for five percent of reported attacks in the same time period, while 24 percent of reports contained attachments and malicious links designed to compromise enterprise systems.
The most common threats identified by the company, including payloads delivered by phishing campaigns, are malicious Microsoft Office macros, ransomware, keyloggers, and Remote Access Trojans (RATs).
The most common threats from compromised internal sources were fake messages concerning company account checks, IT help desk messages and similar lures, while the top external phishing message related to fraudulent order payments.
"It's well known that phishing, like all forms of cyber-crime, constantly evolves as attackers seek an edge," the report suggests. "In simulation training, users learn to recognize phishing and report it right away. Incident responders not only use such human intelligence to hunt and stop threats -- they also loop it back to the training, so simulations mirror ongoing real-world dangers. When users train routinely and remain engaged, anti-phishing programs become proactive and more effective."
According to PhishMe, organizational susceptibility can be decreased over time, given the correct education and training. In addition, the more opportunities employees have to report phishing attempts, the more the message seems to sink in -- and the more aware people become of fraudulent campaigns aimed at them and their companies.
Transparency, education, and reporting are all important elements of a "kill chain" able to minimize the risk of phishing campaigns. If training programs reflect the latest threats and highlight the sophistication of modern-day attacks, so much the better.