Phishing in 2022

The SlashNext State of Phishing Report for 2022 findings demonstrate that previous security strategies are no longer threat stopping, as bad actors increasingly launch attacks from ‘trusted’ servers as well as business and personal messaging apps. After analysing billions of link-based URLs, attachments, and messages in channels across email, mobile and browsers, found more than 255 MILLION phishing attacks so far in 2022 – a whopping 61% increase in the rate of phishing attacks, compared to 2021. It is clear that employee training for phishing is essential. 

Bad actors globally are recognising that the easiest point of attack now is the employees. The security stack is getting more and more advanced the world over, and the human layer is the most vulnerable aspect of security infrastructure. Verizon’s 2022 Data Breach investigations report states that ‘the human element continues to drive breaches.

The Human Layer of the Security Stack

The human layer continues to be the most enticing attack vector for cybercriminals. Sadly, most organisations continue to neglect this easily penetrable entry point. Throughout 2021, the world continued to see significant year-over-year increases in phishing attacks. No industry vertical, size of business or geography was immune. The Human layer was under attack in both professional settings and personal settings. Cybercriminals do not discriminate when they consider victims, as carefully constructed attacks target humans both at work and play, day, or night through various types of social engineering.

The FBI’s Internet Crime Complaint Centre, continued to receive a record number of complaints from the American public: 847,376 reported complaints, which was a 7% increase from 2020, with potential losses exceeding $6.9 billion. Additionally, business email compromise incidents accounted for 19,954 complaints with an adjusted loss of nearly $2.4 billion. And these are just the reported incidents.

Industries are grappling with how they can better develop their human defence layer to detect, protect and report suspicious actions before it’s too late and their systems are compromised. Most organisations turn first to technology as the means to combat cybercriminals, not taking into account that investing in human awareness and intervention is equally, if not more, critical. According to the Verizon 2022 Data Breach Investigations Report, 82% of all security incidents involve a human element, proving how susceptible humans can be.

Security leaders who continue to invest solely in sophisticated technology and security orchestration run the risk of overlooking a best practice proven to reduce their vulnerability: security awareness training coupled with frequent simulated social engineering testing. This approach not only helps raise the readiness level of humans to combat cybercrime, it lays the critical foundation necessary to drive a strong security culture throughout an organisation.

As the world finally begins to emerge from the grip of the COVID-19 pandemic, social engineering attacks continue to rise. The use of email, phone calls, texts, social media, and other outreach methods all work together to evade an organisation’s secure infrastructure as workforces and individuals remain more distracted and exposed than ever.

Phishing Report findings:

The SlashNext State of Phishing report’s key findings were that:

• Cybercriminals are moving their attacks to mobile and personal communication channels to reach employees. SlashNext recorded a 50% increase in attacks on mobile devices, with scams and credential theft at the top of the list of payloads.
• In 2022, SlashNext detected an 80% increase in threats from trusted services such as Microsoft, Amazon Web Services or Google, with nearly one-third (32%) of all threats now being hosted on trusted services.
• 54% of all threats detected by SlashNext in 2022 were zero-hour threats, showing how hackers are shifting tactics in real-time to improve success
• 76% of threats were targeted spear-phishing credential harvesting attacks
• The top 3 attack sectors are Healthcare, Professional and Scientific Services, and Information Technology.

Organisations must move from traditional security practices and processes, and last-generation tools to a modernised security strategy. The human firewall must receive a significant boost in training and emphasis as the last layer of protection in the security stack.  When a phishing attempt breaks through the barriers, employees need to know what to do, and how to act. This kind of training is paramount to avoid a data breach from human error. 91% of successful data breaches start with a spear phishing attack. These kinds of stats don’t lie; action needs to be taken to protect yourself, your employees, and your organisation from bad actors.

Conclusion

SITC is a KnowBe4 UK partner, and we can take you through the process of best equipping your organisation with the security awareness training, phishing test scenarios, and KnowBe4 even offer a Ransomware simulator solution. KnowBe4’s training portfolio encompasses everything you need your staff to be aware of.

As a KnowBe4 partner, we can provide free tools to show you insights into your organisations security, and demonstrate the scenarios and potential threats you face.

For Malware tools, check out the KnowBe4 Ransomware Simulator and the USB Security Test

For Password Tools, you can Check breached passwords, Check password strength, or check browser-saved passwords

KnowBe4 offers Phishing tools which you can use to Find out your employees’ phish-prone percentage, Identify phish-reply risks, or use the Phish Alert Button to allow users to report suspicious emails!

Also offered by KnowBe4, is the Domain Spoof Test, and the Mail Security Assessments

For all things KnowBe4, look no further than SITC.