Today’s reality is dominated by and relies upon digital interactions. Top amongst the IT and security risks are phishing attacks, the initial vector for 9 out of every 10 cyber attacks. In the past year alone, phishing has caused over $50B losses globally for businesses with attackers posing as more than 1,000 different organizations in almost 40 million identity deception threats and over 1 billion brand impersonation attempts. Phishing works, period. And threat actors will never stop leveraging methods that lead them down the road of successful exploits.
Why? These attacks are focused against people, and we love a good story. In fact some argue that all of humanity is driven by stories. To make these attacks work, cyber actors have only one tactic to employ, and that is authenticity. Visual authenticity most directly tied to brand impersonation phishing, and organizational authenticity, most closely tied to Business Email Compromise (BEC) phishing.
The first goal is attaining authenticity–e.g., targeting commonly known brands to make it increasingly difficult for people to tell what is genuine or malicious. A case in point: email attackers most often (51.7% of the time) impersonated one of 20 well-known global brands. These brands are popular and highly interacted with organizations, with Microsoft coming in at #1 on the list, alongside other companies such as Google, Amazon, Facebook and World Health Organization on the list.
Threat actors also capitalize and latch onto large-scale world events or trends tied to brands. For example, when there is a World Cup, there are campaigns that leverage assets related to the World Cup. When there is a G20 Summit, there are campaigns that leverage assets related to G20. When Covid-19 came to fruition, there were a slew of attacks leveraging Covid-19 related trends. In some ways, threat actors are incredibly predictable, with physical events transcending into cyberspace. This ultimately underscores that phishing, like any attack, exploits avenues that are the weakest link–in these cases, the inherent human inclination to be trusting.
When threat actors disguise themselves as legitimate, their second major objective–to trick victims into clicking links or downloading harmful files–can be easily achieved. It’s natural to want to interact with a timely link or file from someone you think you know. Earlier this year, threat actors took advantage of the havoc spurred by Silicon Valley Bank’s collapse preying on customers. In a widespread phishing campaign, threat actors posed as SVB to send DocuSign-themed “links,” which when clicked, led users to a complex, attacker-owned redirect chain.
The stakes to combat phishing attacks have never been higher. And while the problem may seem insurmountable, there are three key actions to strengthen any organization’s security posture:
One fraudulent email has the power to inflict significant harm on an organization – with standard email inbox security tools not viable for combatting these attacks. Between 2013 and 2015, Facebook and Google lost $100 million after falling victim to a fraudulent invoice scam where a threat attack sent a series of multi-million dollar invoices by replicating the tech giant’s vendor. In 2016, Austrian aerospace parts manufacturer FACC lost $47 million when an employee transferred money after believing a phishing scheme impersonating the company’s CEO.
Threat actors frequently use popular providers (e.g., Microsoft and Google) to originate their attacks, which allows them to evade typical authentication checks. Today’s email security procedure requires multiple protection layers to be enacted before, during, and after messages reach the inbox. While SPF, DKIM, and DMARC authentication standards are a crucial safeguarding step, they alone fail to provide comprehensive protection against phishing attacks. These standards were not designed to detect the presence of dangerous emails and/or links that are typical of phishing attacks – proven by the fact that 89% of unwanted messages cleared through these tools.
The key to combating and keeping up with modern phishing tactics is adopting an assumed breach mindset – never trust, always verify. Organizations must implement a Zero Trust security model for every email. Implementing phishing-resistant multi-factor authentication, augmenting cloud email security with multiple anti-phishing barriers, and equipping employees with secure tools are all critical pieces of achieving this.
When processes and tools aren't working, the natural inclination is to throw more resources at the problem – more people, time, and money. This is the wrong move as taking reactive measures means it’s already too late. Take spam filters, for instance, while they were the primary focus of email security at one point they are only the tip of the iceberg in what’s needed to proactively combat phishing attacks.
Categorizing phishing threats into different buckets, though successful in other contexts, is ineffective when taking a holistic view of phishing with the goal of confronting the problem. Many industry phishing reports divide the space granularly as if it is approaching and solving for 100 different problems – the same threat being discussed in 100 different ways can make it daunting to approach a solution. A comprehensive approach is essential, and as proven by the rising number of attacks, splicing data isn’t leading to a solution. With 90% of security decision-makers in agreement that the type and scope of phishing threats are expanding, it’s clear that there needs to be a streamlined, holistic strategy to safeguard our digital environments.
The cyber security landscape is inundated with solutions that each promise enhanced security, However, very few effectively address the exacerbated issue of phishing – one that no organization is immune to. In 2022 alone, Cloudflare detected over 1.4 million BEC threats, double the volume compared to 2021, with 71% of organizations experiencing an attempted or actual business email compromise attack.
This data shows phishing permeates across industries, effectively dismantling traditional security investments with the click of a single link. Users are more susceptible to clicking links than downloading a file, as they perceive the link as a more authentic form of communication. Threat actors repeatedly capitalize on this human weakness which has moved malicious links to the most common threat category, compromising 35.6% of all detected threats. These links and files can lead to credential harvesting, remote code execution that lets the attacker install malware or ransomware, steal data, or take other actions, and ultimately a full network compromise just by taking over a single workstation.
As phishing continues to surge, business leaders must leverage data points to enact solutions. This ensures that resources are being properly allocated to proactively defend against breaches resulting from successful phishing attacks. The data is clear that phishing is an overwhelming issue for businesses of all sizes, but there are pointed answers on how to apply resources to prevent phishing attacks from causing irreversible damage.
The digital ecosystem is constantly evolving, and the ability to stay one step ahead of phishing attacks requires a direct, proactive approach. Organizations can secure emails with a Zero Trust security model so no user or device has complete, trusted access to email or other network resources. Organizations can integrate multiple anti-phishing controls to cloud email security to address high-risk areas for attack exposure, and implement phishing-resistant MFA security tools.
The tech stack is just as important as addressing your own organizational culture: teams within large organizations have their own preferred tools, so meeting employees where they are by making the tools they already use more secure helps prevent potential phishing attacks. Encouraging a blame-free, transparent “see something, say something” approach to reporting suspicious activities is paramount because the minutes between reporting a suspicious activity and taking action are critical.
By implementing modern technical solutions, confronting the problem head-on, and leveraging data-driven solutions, organizations can break free of band-aid solutions and extensively protect themselves and their data from phishing attacks. Such solutions necessitate a cross-functional approach, blending technical measures with organizational awareness to create a formidable defense against the insidious threat of phishing.
This article is part of a series on the latest trends and topics impacting today’s technology decision-makers.
To learn more about the latest phishing trends, get the latest, Phishing Threats Report!
Oren Falkowitz — @orenfalkowitz
Security Officer, Cloudflare
After reading this article you will be able to understand:
Phishing is still the initial vector for 9 out of every 10 cyber attacks
89% of unwanted messages cleared SPF, DKIM, and DMARC
3 key actions to strengthen any organization’s security posture