In an earlier blog, I had detailed an actual email nightmare we endured earlier this year and, fortunately, navigated the landmines to rectify the problem. Like most topics, time only allows for a 30,000-foot overview but a street level view offers much more information and insight. So, let’s go Phishing!
Phishing - attack aims to trick the recipient into falling for the attacker’s desired action, such as revealing financial information, system login credentials, or other sensitive information.
Phishing is the most common form of cybercrime, with an estimated 3.4 billion spam emails sent every day.
The use of stolen credentials is the most common cause of data breaches.
Google blocks around 100 million phishing emails daily.
Over 48% of emails sent in 2022 were spam.
Over a 20% of phishing emails originate from Russia.
Millennials and Gen-Z internet users are most likely to fall victim to phishing attacks.
The average cost of a data breach against an organization is more than $4 million.
One whale size attack (whaling) can cost a business $47 million.
Unfortunately, phishing has become so commonplace and advanced there are different phishing models.
Bulk Phishing
Bulk email phishing is the most common type of phishing attack. A scammer creates an email message that appears to come from a large, well-known legitimate business or organization—a national or global bank, a large online retailer, the makers of a popular software application or app—and sends the message to millions of recipients. Bulk email phishing is a numbers game: The larger or more popular the impersonated sender, the more recipients are likely to be customers, subscribers, or members.
Spear Phishing
Spear phishing is a phishing attack that targets a specific individual—usually a person who has privileged access to sensitive data or network resources, or special authority that the scammer can exploit for fraudulent or nefarious purposes. A spear phisher studies the target to gather information needed to pose as a person or entity the target truly trusts—a friend, boss, co-worker, colleague, trusted vendor, or financial institution—or to pose as the target individual. Social media and social networking sites—where people publicly congratulate coworkers, endorse colleagues and vendors, and tend to overshare about meetings or events or travel plans—have become rich sources of information for spear phishing research.
Business Email Compromise (BEC)
BEC is a class of spear phishing attack that attempts to steal large sums of money or extremely valuable information, trade secrets, customer data, and financial information, from corporations or institutions. BEC attacks are among the costliest cyberattacks.
CEO Fraud (Whaling): The scammer impersonates a C-level executive’s email account, or hacks into it directly, and sends a message to a lower-level employee instructing them to transfer funds to a fraudulent account, make a purchase from a fraudulent vendor, or send files to an unauthorized party.
Email Account Compromise (EAC): Here the scammer gains access to the email account of a lower-level employee - a manager in finance, sales, R&D—and uses it to send fraudulent invoices to vendors, instruct other employees to make fraudulent payments or deposits, or request access to confidential data.
In 2021, the average click rate for a phishing campaign was 17.8%. More targeted spear phishing campaigns had an average click rate of 53.2%
Phishing Statistics: USA
How You Can Prevent Phishing Attacks
1. Keep your PC/Smartphone software up to date.
2. Use anti-virus software.
3. Use 2FA whenever necessary.
4. Check the return email address of the sender not just the name.
5. Look for spelling or grammatical errors in emails.
6. Keep a physical copy of your data whenever possible and backup frequently, as cloud storage and file hosting site attacks are on the rise.
7. Do not click on an email containing an image and no text. The image may be linked to a malicious site.
8. Use advanced Phishing, BEC and email fraud protection.
9. If you think you got a phishing email, block the sender and forward it to the Anti-Phishing Working Group at reportphishing@apwg.org, update any security software you use and scan your system for threats.
The 3.26 million total complaints probably represents a fraction of the total, again this was the number of registered complaints. If the 3.26 million complaints represent a fraction of the total phishing emails what would be the actual cost? Does the total $10.3 billion loss shown include downtime, additional security needed to protect against future recurrences and all other ancillary expenses, or does it represent only direct actual monetary loss incurred? The numbers appear to show it’s going to get worse; the following chart reflects an 82.15% spending increase for cloud-based email security worldwide 2020 to 2028.
Cloud-based email security market size worldwide in 2020 and 2028 (in million U.S. dollars)
Unfortunately, these attacks are not limited only to private industry. Governments, public utilities, communications, healthcare, transportation, education, and numerous other sectors have been the target of these scams.
Imagine how much good could come if the adverse efforts and related costs incurred due to these degenerates were directed to better society as opposed to subverting it through scams, we could all go fishing more often!