Research: Corporate Phishing Incidents Cost $4.3M to Investigate per Year
Phishing remains the top attack vector of choice for cybercriminals, resulting in 23,000 incidents per organization annually, according to respondents in a new survey. Organizations spend on average $4.3 million to investigate phishing incidents.
Attacks leveraging account takeover (ATO) now comprise 20 percent of advanced email attacks, according to the Q1 2019 Email Fraud & Identity Deception Trends report by Agari. In an ATO attack, compromised accounts seem legitimate to email filters and end users alike because they are sent from a real sender’s email account, making ATO attacks more difficult to detect than traditional attacks. ATO attacks are also lucrative, as they target high-profile employees (i.e. CFOs) and open the door to fraud.
Impersonation was the most common attack vector in Q4 2018. It was used in 50% of advanced email attacks, with Microsoft impersonated in 70% of these instances. Other popular impersonations include Amazon, the Internal Revenue Service (IRS), FedEx, and Neflix.
“Microsoft is a common target for credential phishing because Office 365 accounts can be used in subsequent ATO attacks,” according to the report.
33% of advanced email attacks against C-level employees use display name deception that impersonates an individual, a common tactic for business email compromise (BEC). The IRS was impersonated in about one in ten attacks. Criminals use phishing emails and social engineering to request a corporation’s W-2 files, which contain social security numbers, salaries and other confidential data that can be used to commit tax fraud or identity theft.
Employees report on average 23,053 phishing incidents per year, but researchers are careful to point out that 50% are typically false positive reports. The toll is still substantial, though. Responding to a phishing incident takes around six hours and costs $253 per phishing incident on average. That translates into more than $4.3 million per year in Security Operations Center (SOC) costs required to triage, investigate and remediate phishing incidents, researchers said.
*** This is a Security Bloggers Network syndicated blog from Business Insights In Virtualization and Cloud Security authored by Filip Truta. Read the original post at: http://feedproxy.google.com/~r/BusinessInsightsInVirtualizationAndCloudSecurity/~3/wN_XUsgeSms/research-phishing-incidents-cost-4.3m-to-investigate-per-year
