Phishing has been around for decades but remains one of today's biggest—and fastest growing—cyber threats. Already a growing challenge before the COVID-19 pandemic, phishing activity has only gotten worse since then. According to the latest annual Internet Crime Report from the FBI's Internet Crime Complaint Center (IC3), the number of complaints filed about phishing fraud and related complaints jumped 182% between 2019 and 2021. And those numbers reflect only reported phishing attacks; the true number is likely far higher.
By any measure, cyber attackers are clearly succeeding in their efforts to exploit human vulnerabilities. Yet research for the "2022 State of the Phish" report from Proofpoint found that only 53% of working adults know what phishing is.
The message for organizations: Phishing needs to be a focal point of your security awareness program. If it's likely that only about half of your users know what phishing is, consider leading off your education about this crucial cybersecurity awareness topic with an explanation of the term.
About this series
Today's cyber threats rely on human interaction, not just technical exploits. In fact, 82% of data breached in Verizon's 2022 "Data Breach Investigations Report" involved the human element. As the report puts it, this reality "puts the person square in the center of the security estate." Attackers use social engineering to trick people into clicking unsafe URLs, opening malicious attachments, entering their credentials, sending sensitive data, transferring funds and more.
This is the second installment of our six-part blog series that highlights topics you should address in your security awareness training leading up to Cybersecurity Awareness Month in October. The series covers:
- Social engineering
- Business email compromise (BEC)
- Social media
- Insider risk
What is phishing?
Phishing emails use social engineering to encourage users to act quickly, without thinking things through. And when attackers succeed in tricking users with phishing messages, the rewards can include access to sensitive data, critical systems and networks, cloud accounts and often money.
Most phishing messages are sent by email. But some attackers deliver these messages to victims through other methods, including smishing and vishing (using text messages and voice-changing software to send SMS messages to users or robocall them).
Three primary threats in phishing messages
Once your users have a better understanding of what phishing means, outline some of the typical strategies attackers use to compromise the recipients of phishing messages:
Attackers often use malicious URLs in phishing messages. When users click on a malicious link, it may take them to an impostor website, or a site infected with malware (malicious software). Often, attackers will carefully disguise these links in phishing messages so that they appear to be from trusted sources. Techniques may include using company logos or registering email domains confusingly similar to those of a trusted brand or business.
And all too often, the attacker succeeds. Our research for the "2022 State of the Phish" report shows that 1 in 10 users will click on a malicious link in phishing simulations.
Attachments infected with malware can compromise computers and files, and they often look like legitimate file attachments. In phishing simulations we conducted for customers, we've observed that 1 in 5 users will open an email attachment.
It's important to explain to users the harm phishing can cause. Malware infections and ransomware delivered through a phishing attack can easily spread across networked devices—and even to cloud systems.
These requests are designed to convince the email recipient to return sensitive information, such as login credentials, credit card information and more. They are often presented as a form (for example, from a tax authority promising a refund) to prompt the user to provide sensitive information.
Once the user fills out and submits the form, malicious actors can use that data for their personal gain.
All phishing attacks use social engineering
As noted earlier, phishing attacks are a form of social engineering. In your security awareness training, you'll want to draw attention to some of the ways that attackers take advantage of human psychology to manipulate users, such as by:
- Masquerading as someone or something the user would likely know and trust
- Taking advantage of emotions such as fear (or even just stoking the fear of missing out) to motivate users to act quickly
- Making exciting promises that sound too good to be true (and definitely are)
Also, malicious actors will often try to time their attacks for when a user is likely to have their guard down, such as when they're feeling tired or distracted. Many attackers will also study a company's billing cycle or learn when important meetings are held before they launch a phishing attack.
The bottom-line impacts of phishing for businesses
As part of your end user security awareness program, you may want to point to a few significant incidents to help underscore just how costly phishing attacks can be for businesses. This information can be especially compelling for senior executives. Because of their access and authority, they are among the types of users most often targeted or impersonated by attackers in phishing campaigns.
Here are some real-world examples:
- In a proposed settlement over a massive 2021 data breach, a mobile telecommunications company in the United States has agreed to pay out $350 million to customers whose data was allegedly exposed. The incident affected more than 76 million customers.
- A phishing attack sent to suppliers of a large U.S. retailer led to massive hack that exposed credit card and personal data for more than 110 million customers of the retail chain. The retailer has since paid out about $300 million in lawsuit settlements related to the breach.
- A major movie studio lost an estimated $100 million following an attack campaign believed to be from North Korea that led to a massive data breach. The attack included the use of spear-phishing emails (targeted attacks sent to selected people in an organization) that appeared to come from legitimate social media accounts.
- Two leading technology companies in the United States—one a social media platform and the other an internet search engine—lost more than $100 million in an elaborate phishing scheme. Attackers went as far as setting up a false company and using fake emails and invoices.
Creative themes users should watch out for
Of course, for cybersecurity awareness training to resonate with users, they need to understand how phishing schemes can potentially erode their bottom line, too. And with the holidays coming up, it's an ideal time to help your users learn to be on the lookout for phishing tactics involving:
- Online shopping (such as "Click here to order now, and you'll get 60% off! Plus, you'll be entered to win a free $1,000 shopping spree on our website.”)
- Charities (such as "Help fight hunger this holiday season—the need is extremely urgent. Please use this form to donate what you can right now.”)
- Shipping providers (such as "We could not deliver your item. Please review the attached shipping information to confirm your order details.”)
Also, alert your users to the potential for "streaming scams" where attackers pose as legitimate providers of popular streaming services, offering special deals (maybe "One month free!") or try to convince users they need to take action on their account (such as "Update your details to reactivate your membership").
Tips for your end users to identify phishing attempts
Complete your training on the cybersecurity awareness topic of phishing with some easy-to-implement advice that can help your users avoid falling for a phishing scheme. Encourage them to:
- Not trust the sender immediately, even if the message appears to be from a trusted source or brand
- Scrutinize the sender's address—and inspect any links
- Open a new window to check out the website a link is pointing to
- Not click on calls to action within the email, like "verify your account" or "log in now"
- Understand that file-sharing links aren't always safe
And finally, urge your users to report every message that they consider suspicious. Email reporting should be a critical part of your cyber defenses—and tools like the PhishAlarm phishing button from Proofpoint make it easy for your users to become vigilant and proactive defenders.
Coming soon: more end user security awareness topics
The next post in this blog series will focus on business email compromise (BEC). We'll explain why organizations of all sizes across every industry today should be vigilant about this growing threat. And we'll provide tips for educating your users on this critical security awareness topic.
We also encourage you to visit the Proofpoint Cybersecurity Awareness Hub, where you'll find more resources to help inform your organization's security awareness training program. Proofpoint Security Awareness can also help you build a security culture that drives positive behavior change.