Phishing Attacks Getting Personal as Businesses Improve Resiliency

Phishing is easy and profitable for hackers, but businesses are paying a high cost for these crimes.

By Roy Urrico | December 01, 2017 at 06:07 AM

The number of phishing attacks increased 65% worldwide last year. However, while resiliency against phishing attacks is improving throughout major industries, including financial services, consumer scams in the workplace are growing.

Those are findings contained in Leesburg, Va.-based PhishMe's "Enterprise Phishing Resiliency and Defense Report, 2017," which examined controlled phishing activity and susceptibility at global organizations across 23 industries services, with 7 of 8 industries seeing resiliency harden. Financial industry showed a 12.2 susceptibility rate and a 31.7 reporter rate.

"For hackers, phishing is easy. And profitable. The average phishing attack costs a mid-sized company $1.6 million," the report noted. The research added, for many years, organizations have invested in technology to keep them safe from malicious emails. Yet ransomware, CEO fraud/business email compromise, and breaches stemming from phishing emails inflict a heavy toll. According to the FBI, BEC alone cost businesses worldwide over $5 billion from 2013 to 2016.

Recommended For You

Some other key findings:

Overall susceptibility dropped to as low as 5% (individual companies may have experienced greater changes).
As reporting or engagement increased, susceptibility decreased.
Employees are most susceptible to phishing emails that target them as consumers.
Emails with malicious URLs are the most reported.
Almost 15% of the emails employees reported were malicious.

The report dove into topics such as active threats considered to be high-risk and vintage threats, or threats that have disappeared but are likely to return. "When a phishing type disappears for awhile, be afraid. Be very afraid. It will likely come back and you need to be ready. So be proactive. Baseline your risks before attackers do," the report emphasized.

Some key findings specific to the financial industry include: 36.2% susceptibility to TrickBot attacks, which use customized redirection attacks to leverage HTML or JavaScript injections as a victim visits a financial institution online; and 30.6% susceptibility to Ursnif attacks, which deliver malware via Word docs and macros, to steal victim information, from banking and credit card credentials via man-in-the-browser attacks, keylogging, or screenshot capture.

The report stressed, "The tendency to fall for a phishing email, or susceptibility, is best addressed with conditioning employees to recognize and understand phishing emails. Repeated phishing simulations, including those based on relevant, emerging threats, have shown a shrinking susceptibility rate for three years running. It's proof that a progressive, mature anti-phishing program keeps organizations safer."

As Internet behavior changes, so do cyberattacks. In previous years, PhishMe reported that fear, urgency and curiosity were the top emotional motivators behind successful phishes. Now they're closer to the bottom, replaced by entertainment, social media and reward/recognition.

The resiliency study acknowledged it's possible mature anti-phishing programs have conditioned employees to spot work-related scams such as "Delivery Issue" or "Parking Ticket" (fear), "Urgent Order" or "Canceled Transaction" (urgency) and "Final Version of the Report" or "Refund for Purchase" (curiosity). But most programs don't focus on consumer scams, which are cropping up more in the workplace, targeting employees with personal vs. business messages.

"Employees will always take a break to do personal business online, so you can expect work and home email to continue blurring," the report asserted. Personal devices in the workplace often have multiple email accounts therefore the email source may not be as evident. However, to sustain morale, communication and collaboration, among other reasons, companies are unlikely to restrict BYOD or access to social media, news and entertainment sites.

PhishMe provided some tips: Understand the dynamics of entertainment or social phishing; stress vigilance when it comes to emails promising rewards; and take note of internal reward programs in danger of mimicking.

The data reflects experiences of some 1,400 PhishMe international customers, including Fortune 500 and public-sector organizations. In some instances, the data goes back to 2014 or 2015 to show longer-term trends or may focus on a specific time frame. In other cases, the data is from the past eight months, January through August 2017. The data's foundation comes from 52.4 million simulation emails, written in numerous languages.

NOT FOR REPRINT

Roy W. Urrico specializes in articles about financial technology and services for Credit Union Times, as well as ghostwriting, copywriting, and case studies. Also: writer/editor of a semi-annual newsletter for Association for Financial Technology since 1997 and history projects funded by the U.S Interior Department, National Park Service and Warren County (N.Y.).

1 Ent, Wings Credit Unions Announce $19 Billion Merger Plan

2 5 Credit Unions Hire & Promote Professionals

3 Student Loan Collections to Squeeze Borrowers

4 Payment Disputes: Member Loyalty Builder or Breaker?

5 Credit Unions Watch as Cars Thrive, Homes Dive

Workers' Compensation Risk Management Award for Excellence Nominations
May 05, 2025 - Nomination Deadline

The 2025 Workers Comp Risk Management Award for Excellence honors outstanding loss control, safety and return-to-work programs.
More Information
Insurance
BenefitsPRO Broker Expo 2025
May 06, 2025 - Boston

The premier educational and networking event for employee benefits brokers and agents.
More Information
Consulting
Consulting Top Consultants 2025
June 26, 2025 - New York

Consulting Magazine identifies consultants that have the biggest impact on their clients, firms and the profession.
More Information