Nine in 10 enterprises fell victim to successful phishing in 2022

Email safety firm Egress finds that 92% of organisations have fallen victim to a successful phishing assault in their Microsoft 365 environments over the previous 12 months, with an extra 98% of cyber safety managers expressing frustration with safe e-mail gateway (SEG) applied sciences.

According to Egress’ Email safety dangers report 2023 – which investigated each inbound phishing assaults and outbound information loss and exfiltration – 58% of cyber safety managers mentioned conventional SEG applied sciences weren’t efficient in stopping workers from unintentionally emailing the unsuitable particular person or with the unsuitable attachment, whereas 53% conceded that too many phishing assaults bypass their gateway.    

Egress’ information reveals that just about half (44%) of phishing emails are classed as “technical”, which means they have been particularly engineered to bypass signature-based defences, whereas over 1 / 4 (28%) have been despatched from compromised official domains. Out of all account takeover assaults, Egress notes 85% begin with a phishing e-mail.

An additional 91% of cyber safety managers additionally famous that information has been leaked by outbound emails, though this was due to errors or taking dangers as opposed to malicious insiders.

Egress mentioned the highest three causes for these incidents is dangerous worker behaviour (i.e. transferring information to private accounts for distant work), human error (emailing confidential data to incorrect recipients), and self-serving information exfiltration (comparable to taking information to a brand new job).

Overall, Egress discovered that 86% of organisations surveyed have been negatively impacted by phishing emails, 54% suffered monetary losses from buyer churn following a successful phishing assault, and 40% of successful phishing incidents resulted in workers leaving the corporate. Nearly all cyber safety managers (99%) mentioned they have been harassed about e-mail safety.

“The growing sophistication of phishing emails is a major threat to organisations and needs to be urgently addressed,” mentioned Jack Chapman, vice-president of menace intelligence at Egress.

“The signature-based detection utilized by Microsoft 365 and safe e-mail gateways can filter out many phishing emails with recognized malicious attachments and hyperlinks, however cyber criminals need to keep one step forward.

“They are evolving their payloads and increasingly turning to text-based attacks that utilise social engineering tactics and attacks from a known or trusted source, such as a compromised supply chain email address.”

He additional warned that phishing assaults will solely change into extra superior as cyber criminals flip to AI-powered applied sciences comparable to chatbots to automate and refine their assaults.

Egress famous that the highest three sorts of phishing assaults that individuals fell victim to have been these involving malicious URL or malware attachments, social engineering, and provide chain compromises.

Aside from the SEG points, managers additionally expressed concern about their safety consciousness and coaching (SA&T) programmes, as whereas 98% perform some type of SA&T, 96% aired a priority or limitation with it.

For instance, 46% mentioned workers skip by means of it as quick as doable, 29% mentioned workers discover the coaching annoying, and an extra 37% admitted they aren’t assured folks keep in mind what they’re taught.

Egress concluded in its report that, regardless of investments in conventional e-mail safety and SA&T, enterprises stay extremely susceptible to phishing assaults, human error and information exfiltration.

It recommends utilizing clever e-mail safety options to increase conventional SEGs and Microsoft 365, comparable to built-in cloud e-mail safety (ICES) options that use behaviour-based safety to detect anomalies in peoples actions to detect and cease superior phishing threats.

Read extra on IT training and coaching

• Google: Russia continues to set cyber sights on NATO nations

  

  By: Alexander Culafi

• Russian spear phishing marketing campaign escalates efforts towards essential UK, US and European targets

• Russian hacking group Seaborgium targets SNP MP Stewart McDonald

  

  By: Bill Goodwin

• How Russian intelligence hacked the encrypted emails of former MI6 boss Richard Dearlove

  

  By: Duncan Campbell