Despite repeated urges from IT professionals to be wary of clicking on links in emails and opening attachments from strange messages, phishing is still wildly successful as attackers adopt new tricks and techniques that should force organizations to improve and update their cybersecurity awareness strategies.
In fact, email-based phishing attacks remain a thorn in the side of IT professionals, with 84% of organizations in a recent Proofpoint survey reporting that they had at least one successful email-based phishing attack against them last year. Despite an increased emphasis on cybersecurity in the wake of several widespread breaches and highly publicized incidents, that number actually grew a percentage point from 2021, according to the email security company’s survey.
Why phishing continues to be successful
Phishing remains successful for several key reasons, including an end-user awareness that still falls woefully short of adequate, and the fact that attackers are just as innovative as defenders and developers creating the security software organizations use to prevent attacks, says Sara Pan, a marketing manager at Proofpoint.
“They’re constantly upping their game,” Pan says of attackers. “While they’re still heavily relying on social engineering tactics, they always come up with different things.”
Attackers are still using the tried-and-true method of crafting their phishing emails about topics in the news or social media. For example, COVID-19-themed phishing lures lead to a 17% failure rate, according to Proofpoint’s analysis of phishing simulations.
Similarly, attackers are spoofing trusted brands such as Microsoft, Amazon, DocuSign, Google and others that provide widely used enterprise tools. According to Proofpoint, the company observed about 1,600 brand impersonation campaigns, with Microsoft the most abused brand. Over 30 million messages used Microsoft branding or featured a Microsoft product such as Office or OneDrive.
Simulated phishing attack data shows that Microsoft OneDrive-related email attacks had a 7% failure rate, while DocuSign and FedEx impersonations had an 11% failure rate. Since it only takes one user to lead to an organization-wide compromise, those statistics are alarming.
“They will go beyond just email and will use various threat vectors, such as call centers or text messages,” Pan says. “Attackers are definitely very creative, but at the same time, their primary target has always been people–and people remain vulnerable.”
New phishing tools to bypass security controls
While phishing, ransomware and brand impersonation remain major culprits, new classes of threats are emerging, including telephone-oriented attack delivery and multifactor authentication (MFA) bypass techniques such as adversary-in-the-middle (AiTM).
According to Pan, threat actors now have access to a range of methods to bypass MFA. The cybercrime industry is thriving, with service providers similar to legitimate tech firms offering phishing-as-a-service and MFA bypass tools in their off-the-shelf kits.
While multifactor authentication is quickly becoming a standard security practices across industries, attackers are already pivoting and remain a step ahead of these tools.
Phish kits being adopted by hackers include a transparent reverse proxy to conduct a man-in-the-middle attack on a browser session and steal credentials and session cookies in real time, Pan says.
Instead of the traditional phishing attack directing users to fake websites, attackers direct users to legitimate websites but are able to gather all the information they need to compromise a user’s account.
While this technique has been in use for several years, security researchers are just now starting to see MFA bypass phishing kits deployed at scale, Pan says.
“It’s not like this is a new way of attacking, but we’re just seeing these MFA phishing kits deployed at scale in 2022,” Pan says. “This makes security even more difficult for defenders.”
In addition, attackers are also using less sophisticated MFA bypass methods, such as MFA fatigue in which attackers spam a user’s MFA app until the user perhaps has a lapse in judgement and approves the request, says Eric Hart, manager of subscription services for cybersecurity firm LogRhythm.
There were several examples of these attacks last year, including the Uber breach. The ridesharing giant said in September 2022 that an attacker had the credentials of an external contractor and tried to log in several times, prompting two-factor login approval requests that the contractor eventually approved after multiple requests.
Then, the attacker accessed several other employee accounts that ultimately ended with the attacker gaining elevated permissions to a number of tools, such as G-Suite and Slack.
“Attackers are clever,” Hart says.
Why training and awareness seriously need to change
Despite cybersecurity incidents making international headlines in recent years, awareness remains critically insufficient, with just 40% of users telling Proofpoint that they know what ransomware is. In addition just 58% of users know what phishing is, and even lower amounts of users can identity phishing emails. Further, just 70% of organizations say they conduct formal training, and less than 55% make their security awareness training available to every user, not just privileged users, or users with access to sensitive resources.
Users still struggle to spot phishing emails, per the survey, with 21% saying they don’t know that an email can appear to be from someone other than the sender. In addition, 44% say they don’t know that a familiar brand doesn’t mean the email is safe, and 63% say they don’t know that an email link text might not match the website it goes to.
Like the software developers and programmers building some of the most advanced tools in history, attackers are also constantly innovating and finding new ways to do things, so security awareness training should evolve simultaneously, Hart says.
“The landscape is always shifting, and the attacker can pivot anytime they want,” Hart says.
Due to the variety of attacks, IT and security professionals are having a hard time staying up to speed on creating quality training tools that go beyond the stale five-minute training video and test.
While phishing simulations can help establish a baseline of awareness, those emails are relatively easy to spot since the people administering them “have a moral background” and don’t go for the low blow-type social engineering attack, Hart says.
“With your internal campaigns, you’re generally throwing softballs,” Hart says.
Security training and awareness recommendations
Hart and Pan lay out several recommendations for organizations conducting security awareness and training programs:
- Make training programs relevant to the end user. Inform users about the type of threats that could be targeting them, their industry and their occupation specifically.
- Conduct more frequent training to keep it fresh in end users’ minds.
- Incentivizing phishing simulations by offering rewards for top performers, and requiring training for a failed simulation, but not any further penalties.
- Communicate these issues to end users. IT and end users often don’t communicate until something breaks, but IT and security teams can be more proactive by educating users on the actual threats their organization is facing and why it is important for users to be vigilant. Regular, engaging communication between IT leaders and end users on these issues can help make awareness a priority.
- Educate users about the security of their home tech use. End users working from home are increasingly becoming targets, with attackers finding success accessing loosely secured home routers and devices.