According to a new Sophos investigation, which polled 5,400 IT decision-makers from 30 countries across Europe, America, Asia-Pacific and Central Asia, the Middle East, and Africa, all sectors were affected by phishing attacks, with that of the administration central registered the biggest increase (77%), followed by business (76%) and healthcare (73%).
A new investigation carried out by Sophos reveals that phishing attacks targeting organizations increased considerably during the pandemic, as the millions of employees telecommuting became the main target for cyber attackers.
Data from the Phishing Insights 2021 report reveal that the vast majority of IT teams (70%) say that their employees’ number of phishing emails increased in 2020. The figure rises to 82% in the case of organizations that suffered ransomware attacks during the year.
According to the investigation, where 5,400 IT decision makers from 30 countries in Europe, America, Asia-Pacific and Central Asia, Middle East and Africa were surveyed, all sectors were affected by phishing attacks, with the central administration registering the biggest increase (77%), followed by business (76%) and healthcare (73%).
While there is little variation by sector, the study demonstrates a considerable difference in phishing attacks reported by the country since the onset of the public health crisis. For example, 90% of organizations surveyed in Israel reported an increase in the number of attacks. By comparison, only 57% of Italian companies reported the same situation.
Experts at the cybersecurity company indicate that the phenomenon can be explained in part by the fact that various groups of cybercriminals focus their attention on countries with a higher GDP to maximize the profit from their attacks.
Another factor at stake is the lack of consensus on the definition of phishing. The most common definition, selected by 57% of respondents, is “emails falsely claiming to be sent by a legitimate organization, usually combined with a threat or a request for information”.
Already 46% of respondents consider Business Email Compromise (BEC) attacks to be phishing and 36% believe that threadjacking, i.e. when attackers engage in a legitimate email conversation as part of an attack, should also be considered phishing.
The report details that 90% of organizations have cybersecurity awareness programs focused on phishing attacks. However, researchers emphasize that phishing education and awareness programs must consider the wide range of commonly accepted concepts, including training for non-technical contributors that is able to explain the different facets of phishing and email attacks.
“Phishing has been around for over 25 years and continues to be an effective cyber-attack technique,” said Chester Wisniewski, Principal Research Scientist at Sophos, in a statement. “One of the reasons for its success is its capacity for constant evolution and diversification, adapting attacks to certain issues or concerns, such as the case of the pandemic, and taking advantage of human emotions and trust.”
The official emphasizes that organizations cannot underestimate the power of attacks or consider them as low-risk threats. “Phishing is often the first step in a complex, multi-phase attack,” he says, adding that the company has seen firsthand how “seemingly innocuous emails can lead to multi-million dollar ransomware attacks.” cases of crypto jacking and data theft.
Thus, Sophos indicates that the ideal will be to prevent phishing emails from even reaching their recipient. Effective email security solutions indeed contribute, but they must be complemented with prepared and attentive employees, capable of detecting and reporting suspicious messages before they get any further.