Phishing attacks are up on last year and are now a major stress point for cybersecurity leaders and causing real issues for businesses according to the Egress Email Threat Landscape 2024 report, writes AJ Thompson, pictured, CCO at the IT consultancy firm Northdoor plc.
We have all learnt over the past couple of years that phishing is one of the most effective ways for cybercriminals to gain access to a company’s data and infrastructure. The extent of the attacks is perhaps less well-recognised, which makes Egress’ report all the more shocking. The report has shown that an incredible 94 per cent of companies (up two per cent from 92 per cent last year) have been the victims of phishing attacks. Of these, 96 per cent had been negatively impacted by such an attack. Such a large percentage of companies affected by phishing attacks shows just how vulnerable some email systems are and why organisations need to be doing more to protect themselves.
Form of phishing attacks
The report identified the main forms that phishing attacks take. Malicious URLs, malware or ransomware attachments or attacks from compromised accounts make up a majority of the phishing attacks. Of course, within each of these categories remains the fact that cybercriminals are getting increasingly sophisticated in their approaches. The ability for organisations and their employees to be able to identify and deal with phishing attacks is therefore becoming more difficult – hence the rise in successful attacks and the damage that they can cause.
Cybercriminals do not remain stagnant in their efforts to secure data and infrastructure. Nor then should organisations in their efforts to keep them out. After all the results of a successful phishing attack can be devastating for both individuals and companies alike.
Cost of successful phishing
The initial impact of a phishing attack is often the headlines as the news of another attack comes through. However, the results of a breach can be long-term and have devasting consequences for employees and companies. As we have seen, 96 per cent of companies experience a negative impact after a phishing attack. This is up ten per cent from last year’s report (when the number sat at 86 per cent). The negative impact is not just financial either. The report highlights the impact it can have on individuals.
One of the standout stats from the report shows that people are significantly impacted by a phishing attack. In organisations that suffered an attack, 74 per cent of the employees involved were disciplined, dismissed or voluntarily left (51 per cent disciplined, 39 per cent fired and 27 per cent voluntarily left). Obviously, for a huge majority of these employees, the act of clicking on a malicious link sent via a phishing attack was not intentional. The fact that most face disciplinary and a large percentage get fired, shows two things. Firstly, the consequences of clicking on one link can have a huge impact on individuals and secondly how seriously companies are now taking the phishing threat.
They are taking the threat so seriously because of the wider organisational costs that companies suffer as a result of phishing attacks. The report pulls out several organisational-level costs that companies are suffering.
Financial loss from customer churn is the largest at 47 per cent. This stat only tells half the story. Not only are you losing customers and therefore income, but the amount of investment needed to secure new customers can be equally as expensive.
This latter point is only further enhanced by the second largest organisational cost, reputational damage. If customers no longer trust you with their data, they will quickly move on to competitors. Another major cost (at 34 per cent) are the fines and other financial losses as a result of regulatory penalties. Regulatory problems can also impact reputation and the ability to keep or attract new customers and partners.
Other organisational costs include the result of lengthy remediation after an attack and any legal repercussions, including litigation all add to the overall impact of a successful phishing attack.
Supply chain vulnerabilities
The main stress point around phishing for cybersecurity leaders are the attacks originating from supply chain email accounts. The nature of these attacks means that they negate any investment made in frontline cyber defences, which explains why they create such stress for cybersecurity leaders.
Indeed, the report highlighted that 51 per cent of respondents had been the victim of a successful phishing attack that came from a third-party compromised account. It is clear then that basic perimeter defence is no longer enough to keep cybercriminals out. Instead, cybersecurity leaders need to get a better understanding of their partners’ systems and cyber policies.
The old, traditional method of sending questionnaires to partners to gain visibility into their security practices is no longer effective or acceptable. Using tools that allow near-real-time 360-degree views which highlights the security practices of partners as well as any vulnerabilities that may lie open.
The report has shown how phishing remains an effective tool for cybercriminals to gain access to key data. By increasing the sophistication of their approaches, cybercriminals are causing a real headache for cybersecurity leaders and the problem is only going to get worse. New ways of monitoring potential threats and where vulnerabilities lie have to be brought in by companies to reduce the number of successful attacks, keep data safe and reduce the cost to both the individual and the organisation.
