57% of organisations were hit by a phishing attack last year

A new survey from the Business Continuity Institute (BCI) has found that 57% of organisations were hit by phishing attacks last year, making it the most common category of cyber threat.

The BCI Cyber Resilience Report also reports a rise in related categories. Spear phishing (in which specific companies or individuals are targeted) was used on 30% of respondents, and ransomware (which is often spread via phishing emails) was used on 18%.

Social media phishing

The BCI’s report also highlights the growing use of social media phishing. Although it isn’t yet one of the leading types of cyber attack, the report warned that it’s on the rise and catching out people who are unaware of the threat.

Social media phishing is mostly done on Facebook and Twitter, and it often involves ‘angler phishing’ – in which criminals trick users by posing as support services for certain companies. When a user messages the company with a question or complaint, the criminal swoops in via a bogus customer support account and asks the user to follow a malicious link.

Although the message will have come from a different account from the one the user messaged, this wouldn’t necessarily be cause for suspicion because companies often have separate social media accounts to handle customer queries.

The BCI reports that the number of social media phishing incidents rose by 150% last year.

Impersonated orgs risk reputational damage

The report claimed that as cyber attacks – and phishing in particular – become more commonplace, organisations face greater risks to their brand and reputation. This includes both the threat of a criminal successfully spoofing the organisation’s identity and of an employee at the organisation falling victim to a phishing attack.

“With criminals targeting global brands and small businesses alike, it is a matter of when, not if, an organisation will be affected,” the report said. “It is therefore essential to consider the reputational implications of a breach, in addition to possible revenue losses and fines. A business impact analysis may be able to pinpoint these implications, which may help in raising cyber resilience.”

Given that there’s no way to prevent all phishing attacks from reaching their targets, the only way to mitigate this risk is to make sure everyone in the organisation knows how to detect and respond to a phishing attack.

To help staff do this, IT Governance offers a Phishing Staff Awareness Course that provides everything you need to know about how phishing attacks work, how to spot them and the best practices to follow to stay secure.

Find out more about our Phishing Staff Awareness Course >>