The latest cyber security trends demonstrate that phishing attacks are on the rise
According to the latest statistics from the UK government, in their Cyber Security Breaches Survey 2022, 39% of businesses in the UK identified a cyberattack in 2022, with 31% of them estimating that they were attacked at least once per week. Cyber security trends show that phishing attacks, in particular, continue to rise. Around the world 81% of organisations have experienced an increase in email phishing attacks since March 2020. In the third quarter of 2022, the Anti-Phishing Working Group (APWG) observed a total of 1,270,883 phishing attacks, which was a new record and the worst quarter for phishing that APWG had ever seen.
Financial costs and consequences
According to IBM’s 2022 Cost of Data Breach Report, the average cost of a data breach globally reached an all-time high of $4.35 million in 2021. An increase of 2.6% over 2020. Phishing has become the costliest breach cause. The use of stolen or compromised credentials remains the most common cause of data breaches, and takes the longest time to identify, at 327 days. This type of attack ends up costing $150,000 more than the average data breach. Time saved in identifying a data breach means £s can be saved.
Don’t be complacent – Have a plan in place to stop different types of phishing
Despite the increase in overall cyberattacks and phishing attacks in particular, and given the potential financial consequences of a data breach, only 19% of businesses in the UK had a formal incident plan in place. In July 2022, the UK information commissioner stated that the “biggest cyber risk is complacency, not hackers”, after a construction company was fined £4.4 million for not having sufficient security in place to stop a phishing email.
Lack of awareness is a large contributing factor, with phishing attacks manipulating users into giving information away to cybercriminals. According to Verizon’s 2022 Data Breach Investigations Report (DBIR), 82% of data breaches involve a human element, including phishing and the use of stolen credentials.
Be aware of these types of Phishing in 2023
Phishing email, or not a phishing email? Emails from trusted suppliers – It’s getting harder and harder to spot the different types of phishing email, especially if they come from a service that you use and trust, such as Google, Amazon and Microsoft. Cybercriminals are using these services to host phishing attempts, and recently Office 365 users inadvertently downloaded an OAuth app called “Upgrade”, which allowed cyber criminals to perform activities with malicious intentions. For example, reading and sending emails, accessing contacts and calendars and creating inbox rules.
Taking advantage of events – we saw it during the pandemic with emails sent out which looked like they were from the HMRC about business loans, or from the NHS. Equally cyber criminals have taken advantage of events, such as the Twitter announcement that verification would require a payment. After the announcement was made a fraudulent email was sent out to users, warning them to pay a monthly fee or fill out a form to confirm their details, otherwise they would lose their verified status. There were typos and some suspicious wording in the email, but people were still persuaded in their haste to “verify” their account.
Spear Phishing – In February 2023 the UK National Cyber Security Centre (NCSC) issued a warning on increasing phishing attacks from Russia and Iran. Out of the different types of phishing, the biggest concern is related to “spear phishing”. Spear phishing is a form of fraud where specific individuals are targeted using the details they often have online on Facebook or Linkedin, or on their employer’s website. Because spear phishing is so targeted at individuals with recognisable details about them in the email (such as name and employer), it is much more likely to be successful.
Spear phishing can be used to trick victims into making financial transactions or sending sensitive data. In Q2, 2022 a APWG member found that the number of wire transfer “business email compromise” attacks had increased by 59% compared with the previous quarter. So, whilst government departments may be the subject of national phishing attacks via spear phishing, businesses are also at risk of scams involving fee fraud, payroll diversions, wire transfers as well as the risk of leaking personal credentials.
Find out more about the different types of phishing attack in our Spot the Phish quick guide.
AI generated content – One for the future, maybe? Or maybe not that far off? There has been a lot of coverage and concerns around ChatGPT. Whilst AI platforms, such as ChatGPT, help us to be more efficient in researching and writing, the platforms are also open to cyber criminals to use and hone the phishing emails they create. Very often it is easy to spot a phishing email via the incorrect or bad use of English, but with AI it is possible to generate well-written content and information to help cyber criminals impersonate businesses with more successful results.
Only big companies are subject to phishing attacks, right?
Small and medium sized businesses are just as likely to experience a cyber attack as large businesses. In addition, smaller businesses do not always have adequate infrastructure, financial resources or staff in place to adequately protect against attacks. In January 2022 BDO United Kingdom found that eight in ten (84%) of mid-sized businesses were impacted by fraud in 2021 and that almost a third of companies had suffered security breaches through cyber-attacks.
Putting cyber security awareness to the fore
Lack of board level expertise and knowledge about cyber security trends is presenting a barrier in IT departments getting funding for cyber security and this is leading to a reactive approach. This was the finding in the Cyber Security Breaches Survey 2022. There is a “lack of serious understanding of the risks outside of specialist staff”. In smaller organisations “little proactive action was taken on cyber security driven by lack of internal knowledge and competing priorities with their budgets”. Phishing, however, is not just an IT issue. Given that phishing plays on human nature to gain access, phishing awareness for all staff, not just at board level, is needed.
Larger organisations seem to have a better handle on phishing awareness training. According to the survey, 61% of large firms said they have offered this training in the past 12 months. However, in micro and small businesses and charities with an income below £100k, the figure was only 16%. In the 12 months prior to the Cyber Security Breaches Survey 2022 only 17% of businesses and 19% of charities had provided training or awareness raising sessions specifically for people not directly involved in cyber security.
In the Cyber Skills in the Labour Market Report the UK Department for Digital, Culture, Media & Sport found that “companies outside of the cyber sector were clamouring for more guidance on the kinds of training and awareness raising activities that would have the most impact on their wider staff”.
Companies are looking for interactive and practical cyber security training activities, which are considered to have more impact, along with quizzes as part of the training. Being able to demonstrate what the different types of phishing emails look like today and providing mock phishing exercises were also considered to be the most effective by companies surveyed. In our blog “6 Steps to Cyber Security Awareness across your Organisation” at how you can build a successful cyber security education and awareness programme and how you can make sure everyone is on-board so that it becomes a part of your business’ everyday culture.
Reviewing the cyber security trends over the past year, one thing is for sure, the risk of cyber-attacks and the increasing number of phishing attempts is not going to go away in the future. So, putting a plan in place to make sure that all your employees (including the board) are aware of the risks of phishing is imperative…not just in a one off training session this year, but continuous interactive training throughout the year supported by ongoing phishing email simulations to make sure that your staff are well-prepared. You can’t “patch” people, but with the right IT tools and a cyber security awareness programme in place you can minimise the risks and downsides that phishing brings with it.
Want to find out more? Check out the other School of Phish blogs and watch the videos to find out how you can bring IT tools and employee cyber security awareness skills together to help stop phishing attacks taking hold in your organisation.
