5 Reasons Phishing is Your Biggest Cybersecurity Problem

Phishing attacks generally don’t make the headlines. And if you ask a security professional to rank email attack types by the level of threat they pose to their organization, a significant percentage are going to place phishing at the bottom of that list.

But phishing attacks are a much larger issue than a lot of businesses realize. In fact, it’s not an exaggeration to say that phishing actually represents the biggest threat to your cybersecurity.

Here are five reasons you need to make preventing phishing attacks a priority.

Although some attackers still opt for simple phishing campaigns that cast a wide net and require minimal effort, many of today’s threat actors choose to launch more focused and personalized attacks—referred to as “spear phishing”.

Once a target organization is identified, attackers harvest information from social media platforms, news outlets, and the company’s own website to craft malicious messages that contain timely information relevant to the targeted employees and appear to come from known sources.

For example, a bad actor might impersonate a member of the organization’s IT team and send an email with an urgent message to install an important security patch—which actually infects the employee’s computer with malware. Or an attacker may pose as the company’s HR director and invite employees to view time-sensitive documents via an enclosed link—which redirects them to a phishing page that steals their login credentials.

In both cases, the threat actor exploits implicit trust to make the target think the email is legitimate and creates a sense of urgency to encourage the employee to act quickly.

In the past, phishing emails often contained several indicators that the message was malicious—e.g., the text had numerous misspellings and poor grammar and the email was from an unknown sender.

But today’s threat actors take advantage of online translation services like Google Translate and AI tools like ChatGPT to craft messages with perfect spelling, grammar, and syntax. They also spoof email addresses of trusted parties, hiding their true identities behind usernames and URLs with minor misspellings or character substitutions that are easily overlooked. Additionally, attackers leverage sophisticated social engineering tactics to prey on emotions and manipulate employees into fulfilling their requests.

Even if attackers choose to target a broader audience and impersonate a brand rather than a specific individual, they can design detailed phishing emails and intricate phishing sites that are nearly indistinguishable from the impersonated brand’s actual messages and website.

In short, bad actors have learned how to create phishing emails that wouldn’t raise any level of suspicion in the majority of employees.

An email account acts as the hub for just about everything the average professional needs to do their job. Employees use their email to log into applications, link business accounts, and reset passwords. This means stealing login credentials and compromising an email account provides a multitude of opportunities to move throughout the entire application ecosystem and gain access to nearly every other account an employee has.

For instance, compromising a Microsoft 365 email account also gives the attacker access to tools like Teams, SharePoint, and OneDrive from which to harvest sensitive information and valuable data.

Additionally, once a cybercriminal has compromised an email account, they can create inbox rules that automatically forward correspondence to an alternate account, which allows them to continue collecting information without the employee knowing. They can also easily reset passwords for other accounts and lock out the real account owner.

And considering the fact that 54% of all employees reuse passwords across multiple work accounts, threat actors may not even need to change any passwords to be able to log into other accounts.

For the past two years, phishing has been far and away the most prevalent email attack type detected and blocked by Abnormal, accounting for 70% of all advanced attacks in the second half of 2022.

And since 2019, phishing has been the number one cybercrime reported to the FBI Internet Crime Complaint Center (IC3), growing by 162% between 2019 and 2022. In fact, the FBI IC3 recorded over 300,000 phishing incidents in 2022—more than five times the second most common type of cybercrime.

It’s true that, in terms of total losses, phishing falls squarely in the bottom third of all attack types tracked by the IC3, which is likely why many organizations don't regard it as a serious threat. However, what security leaders must remember is that phishing is frequently just the first step in a variety of crimes and is often used more as a “foot in the door” technique rather than the end goal.

Although organizations often dismiss phishing as a threat because they don’t consider it to be as serious as some other attack types, the reality is that phishing emails are usually just the first stage in larger, more costly attacks.

Every email account takeover starts with a successful login, which requires valid credentials—and phishing emails are one of the most popular (and effective) ways for attackers to acquire those credentials. With the account compromised, threat actors can use that email address to send other email attacks in which they impersonate real employees and hijack ongoing conversations.

Attackers can also use phishing emails to steal login information for an organization’s banking or payment portal. With a valid username and password, bad actors can transfer money to their own accounts, redirect incoming payments, send fraudulent payment requests, and steal sensitive financial information to use in future attacks.

And according to the Cyber Resilient Organization Study from IBM Security™, 45% of ransomware attacks were initiated using phishing or social engineering.

Traditional email security technologies like secure email gateways (SEGs) can effectively block basic phishing attacks that contain obviously malicious links or attachments and/or come from domains with known-bad reputations.

However, legacy systems lack the functionality to detect and stop sophisticated phishing messages that utilize more advanced techniques like social engineering and email spoofing. And when an employee engages with a phishing email, it immediately puts the organization at considerable risk. Whether they impersonate a known brand, an internal system, or a trusted individual, stopping phishing attacks before they reach employee inboxes is the key to staying safe.

To learn more about the threat of phishing, download our CISO Guide to Phishing. Or, if you want to see for yourself how Abnormal can block phishing attacks before employees can engage, schedule a demo.