Business leaders should keep a watchful eye on their email inboxes, as a new report suggests a massive increase in phishing emails in the last quarter of 2020.
Software firm Tessian’s Spear Phishing Threat Landscape 2021 report carried out an analysis of four billion messages sent between July 2020 and July 2021.
The data indicated that up to two million phishing emails have slipped past security measures such as SEGs in that time, leaving employees as the “last line of defence”.
Businesses are left vulnerable to potential data breaches and cyberattacks, with data revealing 14 phishing emails are received per employee per year, which is likely to increase by the fourth quarter of 2021.
Within a large business, that could be thousands of potential emails. Tessian found 45% more malicious emails were sent in October, November, and December 2020 than in the previous quarter.
Almost half of employees (45%) said that they have clicked on a phishing by mistake after becoming “distracted”, which is made easier by the fact that 76% of emails don’t contain an attachment making them seem harmless.
Commenting in the report, Tessian CISO Josh Yavor explained that the frequency, difficulty to spot and time-consuming nature of attacks make them hard to investigate, as well as being expensive to recover from.
“Native tools do a good job protecting users against bulk phishing attacks and spam but can’t detect never-before-seen attacks or sophisticated spear phishing and social engineering attacks,” Yavor said.
“Phishing awareness programs help, but still leave people as the last line of defence and – as we all know – to err is human.
“That’s why, despite cybersecurity spending being at an all-time high of $150 billion (£109bn), threats continue to land in employees’ inboxes, and, year-on-year, account takeover (ATO) and social engineering remain top threats.”
- R3-IoT’s Co-founders on Scottish Space Tech and Connectivity
- How to Protect Your Business from Phishing and Whaling Scams
- How AI Helped Thwart a Cyberattack at the Tokyo Olympics
On average, the retail sector is hard-hit, with 49 emails per staff members, as well as 31 in manufacturing. The technology industry saw 14 emails, while financial services saw 12.
Additionally, Tessian data revealed that impersonation techniques like display name spoofing (19%) were the most tactics used by hackers, as well as domain impersonation (11%) and account takeover (2%).
The most impersonated brands over the 12 month period were Microsoft, Amazon, Adobe Sign, ADP and Zoom, Tessian said.
According to security firm Check Point, across the second quarter of 2021, Microsoft was the brand most frequently targeted by cybercriminals and accounted for 45% of all brand phishing attacks globally.
Covid-19 was a particularly lucrative target for hackers over the 2020-2021 period. Research by Barracuda Networks in March found that between October 2020 and November 2020, the number of vaccine-related spear-phishing attacks increased by 12%, rising to 26% by the end of January 2021.
Javvad Malik, lead security awareness advocate at KnowBe4, said that a strong security approach is the best way to protect from such attacks: “Gone are the days of the “Nigerian Prince” phishing scams that were sent at random times, pitted with spelling and grammatical errors.
“Today, phishing is big business operated by sophisticated criminals who run their campaigns with as much efficiency as a well-funded marketing department.
“Many will run A-B tests on phishing campaigns to determine which one has the most likelihood of success. This includes looking at what time of day, and day of week is best to send the emails.
“It is precisely why a layered security approach is needed and people need to be provided continual security awareness and training to keep these attacks front of mind.”