View from the Front Line: Phishing Attack Trends
Phishing raids are the most common attack vector for cybercriminals targeting organisations.
The third quarter of 2019 saw a 46% increase in phishing attacks on the previous quarter. And this was almost double the number of attacks during the fourth quarter of 2018.
As the scams become increasingly sophisticated, easy to execute, and highly profitable, is it any wonder that phishing is now widely regarded as being the biggest and most consequential cyberthreat facing both businesses and consumers?
Phishing remains a top threat for 2020, as witnessed by IBM’s specialist security teams: X-Force IRIS, our front-line response and intelligence team, and X-Force Red, a squad of veteran hackers who are hired to run phishing attacks against real organisations.
To explore the current state of phishing against enterprise networks, we’ve paired the perspectives of both teams to present new data and analysis.
And the good news is: in the Launch Attack phase, phishing is a critical bottleneck that, if successfully defended against, makes a substantial difference in the risk and impact an organisation faces.
Phishing: it’s more than just spam emails
Phishing seeks to obtain a person or company’s sensitive information, including usernames, passwords and credit card details.
This is achieved via the use of emails or instant messaging that appears to come from trusted parties, such as banks, online payment processors, IT administrator, or the more responsible web sites.
It works by preying on human emotion and the urge to act on written words, urging users into opening an attachment or clicking on a malicious link.
As such, it’s a prime example of social engineering techniques being used to deceive users.
By creating authentic-looking emails with believable logos, letterheads, wording, and topics of interest to the target audience, the fraudulent message will usually persuade users to innocently enter personal information at a fake website, which also matches the look and feel of a legitimate site.
Even when employees and end users receive warnings or training to be wary of anything appearing suspicious, the cybercriminals adapt their tactics, becoming ever more innovative in the means they employ to fool even the most security-savvy people.
Phishing is now so ubiquitous in our work environments, it is a constant threat.
IBM X-Force IRIS: Phishing is on the increase
The IBM X-Force Incident Response and Intelligence Services (IRIS) team assists clients in responding to cyberattacks and data breaches on a daily basis, from forensic research to in-depth intelligence.
This grants our team a front-line perspective of the types of attacks organisations face.
According to IBM X-Force IRIS, attackers used phishing as an entry point for one-third of all attacks the team tracked in 2018 and 2019.
In 2019, nearly 31% of all cyber incidents investigated had a known infection vector that could be traced back to a malicious email or phishing attack.
In fact, phishing attacks occur at a critical juncture in the X-Force IRIS Cyber Preparation and Attack Frameworks, a model used to assess threat actors’ activity.
Coming in at a close second, accounting for 29% of incidents, is the use of stolen credentials, which are often obtained through a variety of methods including phishing.
What’s more, the most advanced cyberthreat actors in the world have discovered that phishing is an almost effortless means of delivering malware, remote access Trojans (RATs), or malicious links to recipients.
IBM X-Force IRIS has found that 84% of the advanced persistent threat (APT) groups tracked used spear phishing as a primary infection vector.
Of those, 68% appear to use it as their only infection vector. Yet 42% of all the organisational phishing attacks X-Force IRIS has observed since June 2018 involved business email compromise (BEC).
This is a type of spear phishing where attackers hijack a business email account, utilising micro-targeting to focus on individuals working at specifically chosen companies.
The most frequently targeted industries include tech companies, payment gateways, and financial institutions.
Once attackers have defined their targets and access is established, social engineering tactics are cleverly employed to manipulate employees into sending sensitive information to the attackers, or even directing large funds into fraudulent accounts.
BEC fraud is one of the most damaging spear phishing attacks that an organisation can suffer, costing companies a total of more than $26 billion worldwide as of September 2019.
Indeed, actual losses are likely to be exponentially higher, as these losses only account for what companies are willing to report or confirm.
IBM X-Force Red: Phishing for IBM Security
We know the world’s most expert phishing team.
They work for us: and they could work for you, too.
You see, X-Force Red is IBM’s autonomous team of veteran hackers. And their mission is to put an organisation’s digital security to the test by making the most ingenious attempts to hack into it.
One of the most successful ways our team hacks into systems and people is phishing. Moreover, one of the most popular assessments we conduct is one based around social engineering practice.
So as our team quite often rely on phishing to find a way into an organisation, it’s a technique they’re very familiar with.
They start by forming a deep understanding of a typical target’s environment, including formulating ideas of what might appear credible to them in an email message.
This allows them to craft a custom-tailored and convincing phish that’s likely to be opened.
Whenever used, phishing is always a successful entry point into an organisation’s security systems.
From September 2018 to September 2019, on average 26.5% of recipients clicked on a link contained in a malicious email.
It was found, almost without fail, that at least one recipient would interact with a test phishing campaign.
Fortunately for the systems and companies hacked into it, team X-Force Red actually spend more time gathering open-source intelligence (OSINT) than actually seeking any malicious benefit from a successful attack.
Their many findings suggest that beyond employee education, a security team’s priorities should focus on response rather than prevention.
IBM Security Rapport with Challenges Facing Business
Three of the most common searches on Google now are, ‘report phishing email’, ‘reporting scam emails’, and ‘Email saying I know your password’.
Phishing is obviously endemic.
So what can be done about it?
You can also explore ways of deploying industry-specific IBM Security, a range of enterprise-relevant technologies and support programmes you can leverage in your solutions.