Phishing Click Rates Decline while Socially-Engineered Attacks Grow

Cyber threats are constantly evolving. Cybersecurity teams are most effective when they deploy defenses that protect against the threats that pose the greatest risk at any given time. Socially-engineered attacks—one of the most financially damaging threats according to the FBI—are on the rise and this year’s Verizon 2020 Data Breach Investigations Report (DBIR) uncovered some interesting findings on the trend.

Thoughts on the 2020 DBIR

According to the report, phishing remains a fruitful method for threat actors. But in good news, Verizon found that click rates are as low as they’ve ever been at 3.4%, while reporting rates are rising, albeit slowly. It seems that security awareness training is succeeding with education about basic phishing attacks. The question is... is that enough?

While increased awareness seems to be a positive step, it may not actually be doing much to help today’s organizations, as business email compromise (BEC) attacks are unfortunately on the rise—and the high level of sophistication and social engineering makes them nearly impossible for an employee to spot. These modern BEC attacks lack the common threat signals to trigger detection from yesterday’s secure email gateways. These attacks do not have attachments carrying malware. Nor do they contain URLs leading to malicious websites.

These email attacks are highly-personalized for each individual target in an effort to convince them they are interacting with a trusted sender. So while security awareness training is proving to be effective in reducing click rates, the continually increasing rates of financial loss due to BEC tells a different story. We’re simply not doing a good job at stopping these payload-less and socially engineered attacks.

On a related note, the DBIR report also found that malware is on a consistent and steady decline over the course of the last five years. Verizon theorizes that with hacking and social breaches leading to credential theft, malware is no longer needed to maintain persistence. Malware “is a tool that sits idle in the attacker’s toolbox in simpler attack scenarios.” That said, malware often still plays a role in more complex incidents such as ransomware attacks.

BEC Continues to Grow

The data tells us that, more and more, threat actors are finding success with socially-engineered attacks. Malware detection tools are likely working—but they’re less needed, as recent attacks trend more toward social engineering.

So what does this mean? The tools we have in place to stop email attacks that carry malicious attachments or URLs to malicious websites are doing a good job. Microsoft EOP and Defender for Office 365, as well as the native security controls from Google Workspace, are effective.

Where there is a security gap is with our ability to address BEC—the payload-less, socially engineered attacks. We need a new, abnormal approach to complement the security capabilities of the cloud email platforms.

Learn more about how the Abnormal platform deployed with native API integration and stops business email compromise by requesting a demo today.