Many traditional phishing attacks are able to bypass basic email protection deployed by most organizations. Why? Because these emails typically carry non-malicious payloads, and they’re easy to send. For many threat actors, phishing emails are a go-to tool for compromising users because they can provide a quick and often significant return on investment.
Phishing emails rely on human vulnerability, which is the weakest point of any organization’s security. Research shows it’s a very effective strategy: According to the “2021 State of the Phish Report” from Proofpoint, 74% of U.S. organizations experienced a successful phishing attack last year.
Our research also finds that most of these businesses have no solution for staying on top of phishing attacks other than relying on users to spot and actively report them.
Threat actors get crafty to earn users’ trust
A phishing campaign’s success depends solely on how much trust threat actors can earn from the users they’re targeting. They can easily pose as someone within your company or use a similar email return address to mimic the real one, so it appears as if the message is coming from a trusted source. In some cases, they’ll even spoof email addresses to make it tougher for employees to detect.
Maybe your employees won’t fall for the notorious Nigerian Prince looking to share his wealth if he could just get a little help from a kind stranger. But what about an email from your boss asking you to authorize payment for the new software your company just purchased? Or maybe an email from one of your vendors asking to get caught up on an unpaid bill? Or IT emailing you to update your password for a recent security update?
You can see the problem—and these are only a few examples.
Spear-phishing attacks: CISOs’ real nightmare
If there’s one attack vector that keeps CISOs from sleeping well at night—especially now—it’s spear-phishing attacks via email. Through these attacks, malicious actors attempt to obtain sensitive information such as personal credentials, credit card numbers or specific account information. They can then use these details to impersonate and propagate malicious content throughout an organization or deliver ransomware.
Threat actors will often employ spear-phishing tactics to target a specific organization. They’ll spend time researching names and roles within the company so they can build trust with potential victims. With so much personal data available online, attackers can make their messages appear very convincing.
And now, we see hackers exploiting two of the most common vulnerabilities more than ever before: phishing URLs and impersonation. A key factor for this trend is the recent shift to all-remote or hybrid work environments due the COVID-19 pandemic, which has many employees in many businesses working outside their protected corporate network.
Supply chain attacks are on the rise, and phishing is one tactic threat actors often rely on to help facilitate these campaigns. Learn more about this trend in this post.
Strategies to undermine phishing campaign success
While training users on security awareness is critical, it won’t put an end to phishing. However, taking a multi-layered approach to security and fine-tuning your current solution can greatly increase your efficacy in defending against this threat and providing a more secure environment for your users and organization.
Insulating users from these phishing attempts or other sophisticated attacks with capabilities like Proofpoint Isolation can also help elevate your organization’s level of protection and keep users safe from suspicious links. Applying adaptive isolation controls can also increase phishing prevention, as well, by protecting your organization’s Very Attacked People™ from phishing attacks that are harder for users to spot—and for technical tools to block.
For more strategies and solutions to help keep your employees, data and customers secure, visit our website check out www.proofpoint.com.