Email Security Resilience

    Phishing Update: This Pervasive Risk Just Keeps Growing

    Email-based phishing is a persistent and costly cyberthreat that is becoming more widespread and sophisticated.

    by Elliot Kass

    Key Points

    • More than one-third of all data breaches begin with phishing attacks — the most common of which are email-based.
    • Phishers are imposters who pose as trusted entities to con their victims.
    • Phishing attacks are becoming extremely sophisticated, with attackers using new and different tactics to confound their targets.

    Phishing has firmly established itself as the most common category of cybercrime. In 2021, more than one-third (36%) of all data breaches were attributable, at least in part, to employee credentials stolen through phishing attacks,[1] 91% of which occur through email.[2]

    Now, in late 2022, the phishing threat continues to spread. Since August:

    • A major U.S. airline reported that its computer systems had been breached by a phishing attack. After successfully hacking the email accounts of multiple employees, the culprit then used them to send out a battery of phishing emails targeting over 1,700 employees and customers.[3]
    • The U.S. Internal Revenue Service issued an alert that text message phishing attacks, with offers of tax credits or help setting up an account, were on the rise. “In recent months, and especially in the last few weeks,” the agency warned, “IRS-themed smishing has increased exponentially.”[4]
    • Meanwhile in Germany, the country’s federal police raided the homes of individuals suspected of orchestrating large-scale phishing campaigns. The attackers allegedly used forged emails that appeared to have been sent by various German banks to dupe their victims out of 4 million euros (US$4 million).[5]

    Mimecast has captured the current state of phishing risks and responses in a new ebook, Future-Proofing Your Cybersecurity Strategy: Defending Against Phishing.

    Attackers Deploy an Array of Approaches

    Phishing occurs when an attacker masquerades as a trusted entity reaching out via email, instant message, or text message. The end game may be to obtain credit card or other financial information, but often phishing dispatches are sent to dupe employees into sharing their passwords and logins so the cybercriminal can access their company’s network.

    Attackers use different types of phishing tactics based on their aims and targets. These include:

    • Email phishing: Fraudsters mimic an organization’s email domain and then send out thousands of generic missives in the hopes of getting some bites.
    • Spear phishing: In this more focused form of attack, the perpetrator targets individuals within a company with high levels of network access or the authority to approve financial transactions.
    • Whaling: Similar to spear phishing but targeting the most senior leaders, whaling emails may appear to come from a client or business partner whom the target knows, making seemingly routine requests for proprietary information or transaction approvals.
    • Smishing and vishing: Cybercriminals apply phishing techniques to text and telephone channels.

    Phishing Damage Grows

    Cybercriminals are becoming extremely sophisticated, using different types of phishing tactics based on their aims and targets. The volume of attacks and their financial impact also continue to rise.

    According to recent reports:

    • A staggering 84% of U.S. organizations reported recent phishing or ransomware attacks in a 2021 survey.
    • Mimecast’s most recent State of Email Security (SOES) report found that more than half (55%) of the 1,400 information technology and cybersecurity professionals surveyed had seen a significant increase in the volume of phishing attacks.
    • Publicly reported phishing incidents nearly doubled from 114,702 in 2019 to 241,324 in 2020, according to the FBI.[6]
    • Breaches due to phishing cost organizations an average of $4.91 million last year.[7]
    • A 2021 global phishing simulation exercise found that 14% of employees will click on a phishing email link and that 70% of them will then enter their credentials on the attacker’s website — both increases over 2020 results.[8]

    The Bottom Line

    Some of the world’s most prominent businesses have been phishing victims. Phishing is a widespread and growing threat that companies in all sectors need to protect themselves against. For more on how to safeguard your organization from email-based and other types of phishing attacks, please see Mimecast’s new ebook on Defending Against Phishing.


    [1]2021 Data Breach Investigations Report,” Verizon

    [2]91% of all cyberattacks begin with a phishing email to an unsuspecting victim,” Deloitte

    [3]American Airlines learned it was breached from phishing targets,” Bleeping Computer

    [4]IRS warns Americans of massive rise in SMS phishing attacks,”  Bleeping Computer

    [5] “Germany arrests hacker for stealing €4 million during phishing attacks,” Bleeping Computer

    [6] "Internet Crime Report 2020," FBI

    [7]How much does a data breach cost?” IBM

    [8]Gone Phishing Tournament,” Terranova Security

    Subscribe to Cyber Resilience Insights for more articles like these

    Get all the latest news and cybersecurity industry analysis delivered right to your inbox

    Sign up successful

    Thank you for signing up to receive updates from our blog

    We will be in touch!

    Haut de la page