Phishing is still an effective cyberattack technique because it constantly evolves. To keep up, your phishing defenses need to evolve too.
Our new report, Phishing Insights 2021, reveals the state of phishing and cybersecurity user education based on an independent survey of 5,400 IT professionals. Use it to evaluate your own phishing security posture and identify opportunities to evolve your defenses.
It also provides a real-world case study of a phishing email that led to a multi-million dollar ransomware attack.
Phishing means different things to different people
What is phishing? One of the findings from the survey is that even among IT professionals there is wide variation in what people consider to be a phishing attack. The most common understanding is emails that falsely claim to be from a legitimate organization, usually combined with a threat or request for information. While this was the most popular answer, fewer than six in ten (57%) respondents selected this option, illustrating the breadth of meanings understood by phishing.
46% of respondents consider Business Email Compromise (BEC) attacks to be phishing, while over a third (36%) understand phishing to include threadjacking i.e. when attackers insert themselves into a legitimate email thread as part of an attack.
With this extensive variation in understanding of phishing attacks among IT professionals, it’s reasonable to expect a similar or greater range of interpretations among non-IT employees.
This is a useful reminder to be mindful of the different interpretations of the word ‘phishing’ when providing educational resources and user awareness training. Without the correct context, the training will be less effective.
Phishing has increased since the pandemic
70% of survey respondents reported an increase in phishing attacks on their organization since the start of the pandemic. All sectors were affected, with central government experiencing the highest increase (77%), closely followed by business and professional services (76%) and healthcare (73%).
Fortunately, 98% of organizations had their phishing awareness program in place before COVID-19 hit. Thanks to these programs, employees will have been well placed to withstand the barrage of phishing emails over the last year.
While this is good news, it’s also a reminder to regularly review and update phishing awareness materials and activities to keep them fresh and relevant.
Case study: From phish to multi-million-dollar ransomware attack
Invariably, phishing is just one part of a cyberattack. When a victim falls for a phish, it set off a chain of events that can lead to a devastating attack many weeks or months later.
The Sophos Rapid Response team was recently called in to assist a company experiencing a major ransomware attack that started with a phishing email. As the timeline shows, three months passed between the initial phish and the release of the ransomware payload, with multiple adversaries playing different roles in the attack.