Phishing attacks: 6 reasons why we keep taking the bait

Phishing attacks are a determined threat to businesses.

Phishing attacks: 6 reasons why we keep taking the bait

Phishing attacks: 6 reasons why we keep taking the bait

Phishing attacks are a determined threat to businesses. A huge 90% of breaches involve phishing, And these attacks are on the rise – Proofpoint’s 

2019 State of the Phish Report shows that 83% of survey respondents experienced phishing attacks in 2018. That’s a 76% increase from 2017.

But what makes phishing attacks so successful? 

1. Users are the weakest link

Most users aren’t trained to recognize phishing attempts, and so often fall victim to attack by clicking on links or opening attachments in emails without considering the potential repercussions.

According to the research, 52% of users receive training no more than twice per year, and 6% of users have never received security awareness training.

The result? IT departments are not at all confident in their users’ ability to recognize incoming threats, or in their organization’s ability to stop phishing and related attacks.

2. Organizations aren’t doing enough

Further complicating the problem, organizations aren’t doing enough to defeat the risks associated with phishing and ransomware.

The report highlights 3 key areas of weakness:

Insufficient backup processes: In the event of a ransomware attack, most organizations have insufficient backup processes. This leaves them unable to quickly restore content on servers, user workstations and other endpoints to a healthy state.

Lack of user testing: Most organizations do not have sufficient procedures in place to test their users, leaving them unable to determine which staff members are the most responsive to an attack.

Conducting a simulated phishing attack can help you discover whether your employees are vulnerable to phishing emails, enabling you to take immediate corrective action to improve your cybersecurity posture.

BYOD security risks: Many organizations lack a BYOD (Bring Your Own Device) policy – allowing corporate data and system resources to be accessed through insecure means.

3. Criminal organizations are well funded

The criminal organizations acting cybercrime are generally very well funded.

As a result, they have the technical resources to regularly publish frequently more effective variants of their malware.

4. Cyber criminals are shifting their focus

The availability of stolen data on the Dark Web has decreased its commercial value.

The price of a payment card record dropped from $25 in 2011 to $6 in 2016, so cyber criminals have had to focus on new ways to earn as much as they did in the past.

Consequently, they found a useful source of funds in information-holders, which they target through phishing and ransomware attacks.

Afraid of losing their data, information-holders wouldn’t think twice before paying what criminals demand.

5. Phishing tools are low-cost and popular 

There is an increasing number of tools designed to help beginners with little IT knowledge become “hobbyist” phishers and ransomware authors.

The availability of phishing kits and the rise of ransomware-as-a-service (RaaS) has resulted in an explosion of ransomware and other exploits coming from an ever-growing network of amateur cyber criminals.

6. Malware is becoming more sophisticated

Over time, phishing and various types of malware have become more sophisticated.

The problems of phishing, spear phishing, CEO Fraud/BEC, and ransomware are simply going to get more serious without proper solutions and processes to defend against them.

Protect your organization against phishing 

Educated and informed employees are your first line of defense. Empower them to make better security decisions with our complete staff awareness e-learning suite.

A cost-effective way of managing all your staff awareness training in one place, the complete suite contains eight e-learning courses to help you transform your employees from threats to assets.

Included in the complete suite is the Information Security and Cyber Security Staff Awareness E-Learning Course.