Phishing Growing in Numbers, Sophistication and Cost
Just about everyone using email has encountered phishing. Phishing emails pretend to be from reputable companies or trusted coworkers and either attempt to convince recipients to click on links or attachments that introduce malware onto their systems or try to get them to divulge login passwords and other private information. For organizations, phishing is often the first step in a ransomware attack or advanced persistent threat (APT) that can live on the network for months, stealing valuable private customer information or intellectual property. According to Verizon’s 2021 Data Breach Investigations report, 25% of all data breaches involved phishing.
In other cases, a phishing email may not have any link or attachment but instead try to convince the recipient to pay a fake invoice or change customer or employee account details, an exploit known as a business email compromise (BEC) attack.
Phishing has been here for decades; long enough for users to become familiar with how it works. Companies have extensive security education programs that teach users how to recognize phishing and what to do when they encounter a phishing email. Yet a certain number of users continue to fall for the attacks, making phishing one of the most effective attack strategies.
A recent survey report from Osterman Research, The Business Cost of Phishing, shows the problem for organizations isn’t going away any time soon. In fact, organizations should expect to be plagued by phishing over the next several years, not only in growing numbers of attacks but in growing sophistication.
Aside from the millions of dollars it costs companies in data breaches and ransomware, the report showed that phishing takes up significant IT resources, which translates into time and money that could be better spent using technology to improve the business.
Consider these takeaways from the Osterman report.
Phishing is a Threat
Fully one-third of organizations surveyed said that current levels of phishing represent a “threat” or “extreme threat.” This figure is down from the previous year’s 43%, but the latter figure likely represents trepidation from the move to remote work during the height of the Covid-19 epidemic, when organizations were scrambling to secure thousands of work-at-home users. Even as users start returning to work, the report expects the threat level to increase again for several reasons.
Four out of five respondents indicated that the dynamics and sophistication of attacks had gotten worse or stayed the same over the previous year, as well as the ability of phishing attacks to bypass common attack detection mechanisms. This trend is likely to continue as the most common tools, such as Defender for Microsoft Office 365, are readily available for attackers to test their exploits against.
There are three trends that half of the respondents cite as highly concerning: Polymorphic attacks, which vary each phishing email slightly to avoid detection by tools that rely on signatures; the use of compromised account credentials to create a level of trust and rapport and bypass security tools focused on external threats; and advanced obfuscation methods, such as nesting payloads and bad links, so that defenses must evaluate messages at several points in their lifecycles.
Addressing it is Costly
The result of this increased threat and growing sophistication is that more IT manpower and resources are needed to address phishing attempts. The report creates a composite IT and security professional from the various roles in organizations involved in addressing the epidemic, with a total composite salary of $136,528 in salary and benefits. It then estimates the average time spent addressing a single phishing email at 27.5 minutes, which translates into a cost in salary of $31.32.
Considering the hundreds or thousands of malicious emails organizations address every year, the total cost is considerable—about a third of the working hours of the average IT and security team, or $45,726 of the annual salary of one IT staffer. Multiply that by five or 10 IT or security professionals and it adds up to S228,630 or $457,260 in salaries and benefits.
Respondents don’t expect those numbers to improve. Fully 67% expect the time spent on phishing per week to increase or stay the same.
Phishing is Spreading in Organizations
The bad news is that while organizations focus on malicious emails, phishing is spreading to other categories, such as messaging, file-sharing platforms such as Google Drive, text messaging services and even video conferencing via deepfake voices. At least half of respondents claimed they had already seen phishing attacks in the first three. Since IT tools and professionals don’t have a lot of experience with these types of phishing exploits, one can expect the average time and money spent on addressing each attempt to increase as these new types of attacks grow.
The undeniable conclusion is that phishing will continue to plague organizations for years to come, taking up too much IT time and money that should be spent on digital transformation and other initiatives that enhance the business and its competitive advantage. Organizations will need to upgrade their tools and strategies for addressing more numerous and sophisticated phishing attacks and their consequences.
