2018’s Primary Breach Actors Were Malicious Outsiders

According to a Whitepaper by security firm Tripwire, “2018’s primary breach actors were malicious outsiders. They were behind 56 percent of all breaches, followed by

  • accidental loss at 34 per­cent,
  • malicious insiders at 7 percent,
  • hacktivists at 2 percent, and
  • the remain­ing 1 percent falling into unknown.”

So, a majority of beaches come from outside the organization. What we know about external attacks is that somewhere between 91% and 93% of all cybercrimes and cyber-attacks start with a phishing email. From this we can conclude that in 2018, a majority of breaches were initiated by a phishing email. And what were those breaches mostly interested in? Identity theft.

 

Phishing Surpasses Ransomware Attacks in 2018

According to research detailed in the new 2019 State of the Phish report, “last year saw a 65% increase in enterprises compromised by phishing attacks, with credential compromises rising by more than 70% to become the most commonly experienced attack in 2018.”

This increase in phishing attacks now means it’s more prevalent than ransomware as a threat to organizations. This was confirmed in the report which claimed that, “83% of IT professionals surveyed said they experienced phishing attacks in 2018.”

 

Artificial Intelligence Will Dramatically Improve Phishing Attacks

A Security Week article discusses the DeepPhish Project in which artificial intelligence (AI) was used to by-pass anti-phishing defenses. According to the article, “attackers are already beginning to use their own AI—and this will swing the advantage back to the attacker.”

DeepPhish is the name given to the potential malicious use of AI to aid criminal phishing campaigns. The result of the project was astonishing. Fraud effectiveness at defeating current defenses increased by 3,000%, from 0.69% to 20.9%.

From the article, “The implication, at least in the short term, is that if bad actors develop new AI-enhanced attacks in other areas, they will achieve increased success until defenders produce their own response to the new attacks.”

 

Phishing Education Providers Have Been Too Successful

Siggi Stefnisson of Security Week said what we’ve been saying all along: phishing training is a tool not a solution. In a recent article, Siggi laments that phishing education providers have been so successful at marketing their services, “they’ve convinced many that the job of protection should be shifted to the user.” Unfortunately the reality is much different.

Everyone agrees that training is good, but not at the expense of protection technology.

According to one quote in the article which really puts things in perspective, “A CIO at a large company told me recently that he feels that 40 percent of his users will click on anything.”

The article further points out thateven when an alert user does their duty, the phish may still happen, because we’ve already entered the realm of possible human error.” Effective email security is about layers, with phishing education just one of those layers.

 

Evasive Phishware is on the Rise

“Evasive phishing is not a term much heard,” according to an article on Security Week. But the expectation is that it will be. The article added, “evasive phishing is about techniques to hide phishing infrastructure—principally web sites—from security systems and phishing URL crawlers.”

Evasive phishing tactics tend to fall into one of two categories:

1) blocking security systems or

2) blocking access from security bots and crawlers.

According to research on phishing kits, 87% contain at least one evasive technique. One of the main areas of emphasis for these phishing kits was spoofing the Office 365 login page. It is just one more reminder why Office 365 users are so vulnerable to phishing.

The bottom line is this: not only is phishing not going away, but cyber attackers are now taking advantage of the most sophisticated technologies and techniques to perpetrate their attacks. It has never been more challenging to protect your organization from such attacks. Most companies need help. Let us help you.