Despite the efforts being made to curb phishing, which has been around for more than three decades, phishing attacks continue to rise and organizations continue to struggle with this problem.
Attackers know that it's much easier to target humans instead of targeting systems. Security systems, processes, and policies generally mature with time, but human beings not so fast -- we will always be creatures of habit. We come equipped with inherent weaknesses like judgment errors, biases and heuristics (mental shortcuts) to blame.
Plus, people hold keys to the castle, so why not steal the keys or trick someone into opening the door so the attacker can just walk in? This is exactly what X-Force Threat Intelligence Index 2022 is telling us. Summarized below are top observations of this IBM Security report.
Phishing and Vulnerability Exploitation Are The Vectors For Initial Infection
To execute a sophisticated attack like a ransomware infection or espionage, threat actors must first gain an initial foothold into the system. This is exactly where phishing and software vulnerabilities come in. According to IBM, 75% of attacks in 2021 leveraged phishing (41%) and vulnerability exploitation (34%) as vectors of initial compromise. In addition to this, a small percentage of intrusions involved the use of stolen credentials (9%), brute force (6%), remote desktop (4%), removable media (4%) and password spraying (1%).
More Than Half of All Cyber Attacks Involve The Human Element
While phishing and vulnerabilities were used to secure a foot in the door, it was only an initial step in the larger scheme of things. According to IBM, end goals of attackers ranged from ransomware, server access, business email compromise (BEC), data theft, credential harvesting, remote access tool (RAT), misconfiguration, malicious insiders and others. Interestingly, more than half (53%) of cyber-attacks exploited the weakest link, users. Per IBM, 21% of ransomware and 8% of BEC scams relied on phishing; server access (14%) involved known vulnerabilities that security teams should have ideally been aware of. A similar observation on the involvement of human error was also made in the 2022 Verizon DBIR report.
Vishing Three Times More Effective Than Targeted Phishing
Upon conducting social engineering penetration attacks, IBM discovered that the click effectiveness of targeted phishing campaigns rose significantly if the phishing campaign was coupled with a phone scam (a.k.a. “vishing” or voice phishing). IBM concluded that the average click rate of a targeted phishing campaign was 17.8%, however vishing was three times more effective, capturing a click rate of 53.2%.
Majority of Phishers Hunt For User Credentials
Throughout 2021, IBM closely tracked how cyber criminals were using phishing kits -- pre-packaged tools bundled with ready-to-use software and templates, including customer support. Criminal-minded individuals and entities can purchase these kits from the dark web. What IBM found was that nearly all phishing kits asked users for their credentials followed (in popularity) by credit card data (61% of bogus requests for credentials), mailing address, phone number, date of birth, security questions, and ATM PINs. This again validates the initial assumption that attackers are looking for ways to walk through the front door, bypassing all security protocols and defenses.
Where Vulnerabilities Are Low, Phishing Is High
IBM believes that in regions like North America, where organizations implement robust patch management programs due to several critical vulnerabilities released in 2020 and 2021, phishing naturally became the attack vector of choice and was observed in 47% of all security incidents. Highly regulated industries like financial services, energy, and healthcare, where awareness on security vulnerabilities is high, phishing also reigned as the top vector of choice.
How Organizations Can Boost Phishing Defenses
Unfortunately, there is not a single tool or solution that will prevent businesses from being targeted by phishing. Threat actors will continue to refine social engineering techniques and leverage new technologies to scam users. That said, IBM recommends following a layered approach to mitigate phishing risks. This includes a combination of three things:
- First: implementing effective user awareness and education programs that employ real-world examples and simulations. Such programs help raise awareness in employees of the latest tools and tactics used by cybercriminals, guide them on cybersecurity best practices and help develop muscle memory so that employees can recognize attacks before they become incidents.
- Second: employing email software and web security solutions that identify and filter out malicious messages and restrict users from visiting malicious websites.
- Third: implementing a combination of security tools like behavior-based anti-malware detection, endpoint detection and response (EDR), intrusion detection and prevention solutions (IDS) and security information and event management systems (SIEM) and implementing phishing-resistant multi-factor authentication (MFA). IBM also recommends that organizations adopt zero-trust approach, refine their vulnerability management systems regularly and keep an incident response plan ready in case the organization is hit by a cyber-attack.
For most users, any kind of cyber-attack may seem like a technology issue. But the reality is, when it comes to phishing attacks, mitigating the risks created by the human element will deliver the best chances for preventing costly breaches.
