Phishing Click Rates Decline while Socially-Engineered Attacks Grow

June 11, 2020

Cyber threats are constantly evolving. Cybersecurity teams are most effective when they deploy defenses that protect against the threats that pose the greatest risk at any given time. Socially-engineered attacks—one of the most financially damaging threats according to the FBI—are on the rise and this year’s Verizon 2020 Data Breach Investigations Report (DBIR) uncovered some interesting findings on the trend.

Thoughts on the 2020 DBIR

According to the report, phishing remains a fruitful method for threat actors. But in good news, Verizon found that click rates are as low as they’ve ever been at 3.4%, while reporting rates are rising, albeit slowly. It seems that security awareness training is succeeding with education about basic phishing attacks. The question is... is that enough?

While increased awareness seems to be a positive step, it may not actually be doing much to help today’s organizations, as business email compromise (BEC) attacks are unfortunately on the rise—and the high level of sophistication and social engineering makes them nearly impossible for an employee to spot. These modern BEC attacks lack the common threat signals to trigger detection from yesterday’s secure email gateways. These attacks do not have attachments carrying malware. Nor do they contain URLs leading to malicious websites.

These email attacks are highly-personalized for each individual target in an effort to convince them they are interacting with a trusted sender. So while security awareness training is proving to be effective in reducing click rates, the continually increasing rates of financial loss due to BEC tells a different story. We’re simply not doing a good job at stopping these payload-less and socially engineered attacks.

On a related note, the DBIR report also found that malware is on a consistent and steady decline over the course of the last five years. Verizon theorizes that with hacking and social breaches leading to credential theft, malware is no longer needed to maintain persistence. Malware “is a tool that sits idle in the attacker’s toolbox in simpler attack scenarios.” That said, malware often still plays a role in more complex incidents such as ransomware attacks.

BEC Continues to Grow

The data tells us that, more and more, threat actors are finding success with socially-engineered attacks. Malware detection tools are likely working—but they’re less needed, as recent attacks trend more toward social engineering.

So what does this mean? The tools we have in place to stop email attacks that carry malicious attachments or URLs to malicious websites are doing a good job. Microsoft EOP and Defender for Office 365, as well as the native security controls from Google Workspace, are effective.

Where there is a security gap is with our ability to address BEC—the payload-less, socially engineered attacks. We need a new, abnormal approach to complement the security capabilities of the cloud email platforms.

Learn more about how the Abnormal platform deployed with native API integration and stops business email compromise by requesting a demo today.


Prevent the Attacks That Matter Most

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.

Demo 2x 1

See the Abnormal Solution to the Email Security Problem

Protect your organization from the attacks that matter most with Abnormal Integrated Cloud Email Security.

Related Posts

B 05 13 22 Spring Product Release
This quarter, the team at Abnormal launched new features to improve lateral attack detection, role-based access control (RBAC), and explainable AI. Take a deep dive into all of the latest product enhancements.
Read More
B 05 11 22 Champion Finalist
Abnormal has been selected as a Security Customer Champion finalist in the Microsoft Security Excellence Awards! Here’s a look at why.
Read More
Blog series c cover
When we raised our Series B funding 18 months ago, I promised our customers greater value, more capabilities, and better customer support. We’ve delivered on each of those promises and as we receive an even larger investment, I’m excited about how we can continue to further deliver on each of them.
Read More
B 05 09 22 Partner Community
It’s an honor to be named one of CRN’s 2022 Women of the Channel. Here’s why I appreciate the award and what I love about being a Channel Account Manager at Abnormal.
Read More
B 05 05 22 Fast Facts
Watch this short video to learn current trends and key issues in cloud email security, including how to protect your organization against modern threats.
Read More
B 05 03 22
Like all threats in the cyber threat landscape, ransomware will continue to evolve over time. This post builds on our prior research and looks at the changes we observed in the ransomware threat landscape in the first quarter of 2022.
Read More
B 04 28 22 8 Key Differences
At Abnormal, we pride ourselves on our excellent machine learning engineering team. Here are some patterns we use to distinguish between effective and ineffective ML engineers.
Read More
B 04 26 22 Webinar Re Replacing Your SEG
Learn how Microsoft 365 and Abnormal work together to provide comprehensive defense-in-depth protection in part two of our webinar recap.
Read More
Blog mitigate threats cover
Learn about the most common socially-engineered attacks and why these tactics are still so successful—despite a growing awareness from employees.
Read More
B Podcast Engineering8
In episode 8 of Abnormal Engineering Stories, Kevin interviews Saminda Wijegunawardena, an engineering leader who is no stranger to fast-growing enterprise startups.
Read More
B 04 04 22 Webinar Recap Krebs
High-impact emails are on the rise and secure email gateways (SEGs) don’t have the functionality to mitigate them. Learn how your SEG is letting you down.
Read More
B 04 19 22 Facebook Phishing
While phishing emails have long been a popular way to steal Facebook login credentials, we’ve recently seen an increase in more sophisticated phishing attacks.
Read More