Phishing Click Rates Decline While Socially-Engineered Attacks Grow

June 11, 2020

Abnormal Security

Ken Liao

Cyber threats are constantly evolving. Cybersecurity teams are most effective when they deploy defenses that protect against the threats that pose the greatest risk at any given time. Socially-engineered attacks — one of the most financially-damaging threats according to the FBI — are on the rise and this year’s Verizon 2020 Data Breach Investigations Report (DBIR) uncovered some interesting findings on the trend.

According to the report, phishing remains a fruitful method for threat actors. But in good news, Verizon found that click rates are as low as they’ve ever been (3.4 percent), while reporting rates are rising, albeit slowly. It seems that security awareness training is succeeding with education about basic phishing attacks — but is that enough? 

While increased awareness seems to be a positive step, it may not actually be doing much to help today’s organizations, as business email compromise (BEC) attacks are unfortunately on the rise — and the high level of sophistication and social engineering makes them nearly impossible for an employee to spot. These modern BEC attacks lack the common threat signals to trigger detection from yesterday’s secure email gateways (SEGs). These attacks do not have attachments carrying malware. Nor do they contain URLs leading to malicious websites. 

These email attacks are highly-personalized for each individual target in an effort to convince them they are interacting with a trusted sender. So while security awareness training is proving to be effective in reducing click rates, the continually increasing rates of financial loss due to BEC tells a different story — we’re not doing a good job at stopping these payload-less and socially-engineered attacks. 

On a related note, the DBIR report also found that malware has been on a consistent and steady decline over the last five years. Verizon theorizes that with hacking and social breaches leading to credential theft, malware is no longer needed to maintain persistence. Malware “is a tool that sits idle in the attacker’s toolbox in simpler attack scenarios.” (Even though malware still often plays a role in more complex incidents such as ransomware attacks).

The data tells us that, more and more, threat actors are finding success with socially-engineered attacks. Malware detection tools are likely working – but they’re less needed, as recent attacks trend more toward social engineering. 

What does this mean? The tools we have in place to stop email attacks that carry malicious attachments or URLs to malicious websites are doing a good job. Microsoft EOP and ATP and the native security controls from G Suite are effective. Where there is a security gap is with our ability to address BEC: the payload-less, socially engineered attacks. We need a new approach to complement the security capabilities from the cloud email platforms. Interested in learning more about how the Abnormal Cloud Email Security platform deploys with a native API-integration and stops BEC?

Subscribe to receive twice-monthly updates of the latest attacks we've detected in the wild:

Like our article? Share our content