Sophos has released new research titled Phishing Insights 2021, revealing insights into the experience and understanding of phishing around the world in 2020. Results find that phishing attacks have spiked during the pandemic, as millions of work-from-home employees become a prime target for cybercriminals.
Of the 5,400 IT decision makers polled across 30 countries, 70% of IT teams reported an increased number of phishing emails hitting their employees in the span of 2020. For organisations struck by ransomware during the year, this number rose to 82% of IT teams.
While most (97%) of Singaporean organisations run cybersecurity awareness progress to address phishing, Sophos finds that many are still unable to agree on what exactly phishing is, and awareness and education is still lacking.
Many IT professionals are still unable to agree on a single definition of phishing; 73% of respondents believe it to be “emails that falsely claim to be from a legitimate organisation, usually combined with a threat or request for information." Meanwhile, approximately two-thirds consider emails with a malicious attachment to be phishing, and more than one-third think threadjacking (when attackers insert themselves into a legitimate email thread as part of an attack) is phishing.
These results reveal that phishing awareness and education programs need to consider the wide range of perceived phishing definitions and include training for non-technical employees that explain the different facets of phishing and email attacks in general. The importance of which is underscored by Chester Wisniewski, principal research scientist at Sophos.
He says, "Phishing has been around for over 25 years and remains an effective cyberattack technique. One of the reasons for its success is its ability to continuously evolve and diversify, tailoring attacks to topical issues or concerns, such as the pandemic, and playing on human emotions and trust.
Example of how phishing can escalate into a multi-million dollar cybersecurity attack. (Source: Sophos)
"The temptation for organisations is to see phishing attacks as a relatively low-level threat, but that underestimates their power. Phishing is often the first step in a complex, multi-stage attack. According to Sophos Rapid Response, attackers frequently use phishing emails to trick users into installing malware or sharing credentials that provide access to the corporate network. The team has seen at first-hand how a seemingly innocuous email can ultimately lead to a multi-million-dollar ransomware attack. Cryptojacking, data - and even financial - theft are all potential outcomes after a phishing attack has opened a door for adversaries.
"The ideal would be to prevent phishing emails from ever reaching their intended recipient. Effective email security solutions can go a long way towards achieving this, but this should be complemented by alert and primed employees who are able to spot and report suspicious messages before they get any further.”