Data loss is the number one result of a fruitful phishing campaign, but account compromises and ransomware attacks can threaten your organization as well, says Proofpoint.
On the receiving end, a successful phishing campaign can damage an organization in more ways than one. A report released Sunday by security provider Proofpoint looks at the impact of a phishing attack and offers tips on how to combat one.
For its “2021 State of the Phish report,” Proofpoint collated data from several sources:
- A third-party survey of 3,500 working adults in the US, UK, Australia, France, Germany, Japan, and Spain;
- a third-party survey of 600 IT professionals across the same countries;
- more than 60 million simulated phishing attacks deployed by Proofpoint customers for internal training; and
- more than 15 million phishing emails reported by end users.
2020 saw a slight increase in phishing attacks among Proofpoint customers. Some 57% said their organization was hit by a successful attack last year, up from 55% in 2019. More than 75% of the respondents said they faced broad-based phishing attacks–both successful and unsuccessful–in 2020. Using such an approach, cybercriminals cast a less targeted but wider net in hopes of compromising as many people as possible.
However, more targeted campaigns also posed a threat last year. Among the respondents, 66% saw more targeted phishing attacks last year, while 65% were hit by more Business Email Compromise (BEC) attempts.
Targeted attacks reach fewer people but are more focused and sophisticated and less likely to get caught by security defenses. By researching specific people or roles within an organization, cybercriminals can deploy spearphishing attacks and BEC campaigns as well as whaling attacks, which target CEOs or other high-ranking individuals.
A successful phishing attack can impact an organization in several ways. Data loss was the greatest side effect, cited by an average of 60% among those surveyed. Compromised accounts or credentials was the second biggest effect, mentioned by 52% of the respondents. Additional outcomes from a phishing attack included ransomware infections as cited by 47%, other malware infections by 29%, and financial loss or wire transfer fraud by 18%.
Beyond email-based phishing attacks, cybercriminals like to employ other tactics. Some use social media, some use text messaging, and some use voicemail. Last year, 61% of those surveyed were hit by social media attacks, 61% by smishing (SMS phishing) attacks, and 54% by vishing (voice phishing) attacks.
Of course, the coronavirus pandemic created fodder for phishing attacks. Millions of pandemic-related emails were blocked by Proofpoint alone last year. Though the number of such attacks has dropped since peaking in April and March of 2020, criminals continue to exploit the virus by focusing on more recent events such as stimulus funding and the vaccine rollout.
The simulated phishing emails sent to employees by their organization used such themes as “Singapore Specialist: Coronavirus Safety Measures,” “COVID-19 Hospital Visit,” “FBI Warning!!! Coronavirus Scams,” and “COVID-19 Infected Our Staff.” In some cases, the failure rate approached 100%, meaning almost all of the employees failed to detect these as phishing scams. For more frequently-used COVID-related templates, failure rates were much lower, ranging from less than 1% to just over 20%.
To help your organization and your employees thwart phishing campaigns, Proofpoint offers a variety of suggestions:..
