Phishing attacks: 6 reasons why we keep taking the bait

This blog has been updated to reflect industry developments. Originally published Mar 27, 2017

Phishing attacks are a persistent threat to businesses. A staggering 90% of breaches involve phishing, according to Verizon’s Data Breach Digest.

And these attacks are on the rise – Proofpoint’s 2019 State of the Phish Report reveals that 83% of survey respondents experienced phishing attacks in 2018. That’s a 76% increase from 2017.

But what makes phishing attacks so successful? A new report from Osterman Research suggests there are six key factors to blame:


1. Users are the weakest link

Most users aren’t trained to recognise phishing attempts, and so often fall prey to attack by clicking on links or opening attachments in emails without considering the potential repercussions.

According to the research, 52% of users receive training no more than twice per year, and 6% of users have never received security awareness training.

The result? IT departments are not at all confident in their users’ ability to recognise incoming threats, or in their organisation’s ability to stop phishing and related attacks.


2. Organisations aren’t doing enough

Further complicating the problem, organisations aren’t doing enough to reduce the risks associated with phishing and ransomware.

The report highlights 3 key areas of weakness:

Insufficient backup processes: In the event of a ransomware attack, most organisations have insufficient backup processes. This leaves them unable to quickly restore content on servers, user workstations and other endpoints to a healthy state.

Lack of user testing: Most organisations do not have adequate procedures in place to test their users, leaving them unable to determine which staff members are the most susceptible to an attack.

Conducting a simulated phishing attack can help you establish whether your employees are vulnerable to phishing emails, enabling you to take immediate remedial action to improve your cyber security posture.

BYOD security risks: Many organisations lack a BYOD (Bring Your Own Device) policy – allowing corporate data and system resources to be accessed through insecure means.


3. Criminal organisations are well funded

The criminal organisations committing cyber crime are generally very well funded.

As a result, they have the technical resources to continually publish increasingly more effective variants of their malware.


4. Cyber criminals are shifting their focus

The availability of stolen data on the Dark Web has decreased its commercial value.

The price of a payment card record dropped from $25 in 2011 to $6 in 2016, so cyber criminals have had to focus on new ways to earn as much as they did in the past.

Consequently, they found a fruitful source of funds in information-holders, which they target through phishing and ransomware attacks.

Afraid of losing their data, information-holders wouldn’t think twice before paying what criminals demand.


5. Phishing tools are low-cost and widespread 

There are an increasing number of tools designed to help amateurs with little IT knowledge become “hobbyist” phishers and ransomware authors.

The availability of phishing kits and the rise of ransomware-as-a-service (RaaS) has resulted in an explosion of ransomware and other exploits coming from an ever growing network of amateur cyber criminals.


6. Malware is becoming more sophisticated

Over time, phishing and various types of malware have become more sophisticated.

The problems of phishing, spearphishing, CEO Fraud/BEC and ransomware are simply going to get worse without appropriate solutions and processes to defend against them


Protect your organisation against phishing

Educated and informed employees are your first line of defence. Empower them to make better security decisions with our complete staff awareness e-learning suite.

A cost-effective way of managing all your staff awareness training in one place, the complete suite contains eight e-learning courses to help you transform your employees from threats to assets.

Included in the complete suite is the Information Security and Cyber Security Staff Awareness E-Learning Course.

Take control of your employees’ security behaviour