Despite the plethora of advanced techniques cybercriminals have at their disposal, the most effective tool of their trade relies largely on psychological manipulation. We’re talking about phishing, a type of social engineering that’s at least partially responsible for every third data breach, according to the Verizon 2021 Data Breach Investigations Report.
Phishing is so common that your spam folder very likely contains hundreds of its examples. But what makes this widespread, low-effort threat so effective? As always, it’s a combination of different factors. Let’s explore them.
5 Different Factors Why Phishing Scams Continue to Be Effective
1. Humans Are the Weakest Link in the Cybersecurity Chain
Many organizations that are happy to spend a lot of money on security tools like firewalls, virtual private networks (VPNs), or endpoint detection and response (EDR), completely overlook the weakest link in the cybersecurity chain: their employees.
Indeed, a survey by Mimecast reveals that only 45 percent of organizations provide employees mandatory, formal cybersecurity training, and other similar surveys share figures that are just as alarming.
Employees who are not familiar with the tactics and techniques commonly deployed by phishers are more likely to click a malicious link or download a malware-infected attachment when busy with daily work.
That’s why all employees should be trained to recognize phishing emails and messages, preferably by cybersecurity professionals who can provide plenty of real-world examples and, if desired, organize mock phishing exercises.
2. Phishers Keep Evolving Their Tactics
Early phishing scams involving Nigerian princes seem almost laughable now, and it’s likely that most employees wouldn’t fall for them. Such scams are, however, just as antiquated as CRT monitors.
Modern phishing scams are highly targeted and supported by weeks and sometimes months of reconnaissance. Instead of grammatically incorrect emails from random senders, they involve seemingly legitimate emails coming from known addresses.
Phishers are also not afraid to use the phone to conduct so-called vishing (voice phishing) attacks, and artificial intelligence and machine learning techniques even let them impersonate someone’s voice.
The evolving nature of phishing, once again, highlights the need for effective cybersecurity awareness training.
3. Many Organizations Don’t Expect to Be Phished
Even though SMBs have become the primary targets of cybercriminals, two-thirds (66 percent) of business leaders at companies with up to 500 employees still don’t believe they will be targeted.
Such leaders live in the past, not realizing that even small and medium-sized businesses now store a wealth of sensitive data that can be sold on the dark web or held hostage during a ransomware attack.
SMBs are also sometimes targeted as stepping stones to attack larger corporations, namely their business partners. While such attacks may not result in direct financial damage, they always cost the breached businesses their reputation.
4. Phishing Tools Have Become Readily Available
In the early days of the internet, cybercriminals were largely lone wolves who used their deep knowledge of technology to breach poorly protected systems, often motivated by their curiosity. Present-day cybercriminals are motivated almost exclusively by profit and supported by an entire ecosystem of cybercriminal services.
For example, highly sophisticated phishing kits can now be purchased by virtually anyone on the dark web and used to orchestrate large-scale phishing campaigns without much technical knowledge. It’s similarly easy for cybercriminals to obtain long lists of email addresses belonging to employees working for specific companies.
We should also mention the increasing availability and affordability of ransomware-as-a-service, a subscription-based model that enables phishers to take their attacks to the next level using already-developed ransomware tools.
5. Organizations No Longer Have a Clear Perimeter
To increase their productivity, most organizations have, to a smaller or larger extent, migrated to the cloud and embraced the hybrid work model, allowing employees to flexibly work from different locations, often using a mix of work and personal devices.
All these changes in the way we work have blurred the traditional network perimeter and made traditional cybersecurity perimeter defense mechanisms obsolete.
With no moat around the castle, organizations are forced to adopt a new cybersecurity model, one that focuses on the protection of individual endpoints, including desktop computers, laptops, mobile devices, and network equipment.
Protect Your Organization Against Phishing
Just because phishing scams continue to be highly effective and responsible for a large number of data breaches doesn’t mean that you have to be their next victim.
We at TechGen can help you educate your employees and implement a tailored mix of policies and controls to make your organization more resilient against phishing attacks. Contact us to strengthen your cybersecurity defenses.