Why are we still falling for phishing attacks?

One-fifth of employees fall for phishing emails even if they have gone through security training — so what's going wrong?
18 December 2020

The global pandemic this year brought a tidal wave of cyberattacks, aimed at capitalizing on the disarray among industries whose operations were fully dependent on digital overnight — and, in many cases, dependent on workers’ personal networks and devices.

The most common attack vector targeted the human chink in the armor. Phishing attacks — or social engineering attacks aimed at stealing valuable credential information, such as logins and payment details, hit record levels. Google reported more than 2 million phishing sites this year alone.  

According to data presented by Atlas VPN, one-fifth (19.8%) of employees fall for phishing emails even if they have gone through security training. Those numbers are based on data collected during the global 2020 Gone Phishing Tournament organized by Terranova Security and Microsoft. During the tournament, employees from 98 countries worldwide participated in a phishing simulation where their cybersecurity awareness was tested.

Of those that clicked on phishing email links, more than two-thirds (67.5%) also entered their credentials, such as a password, on the phishing webpage. As such, more than one in 10 employees provided their credentials to phishers — for enterprises of any size, that’s a hugely worrying statistic. 

The study showed that employee awareness isn’t increasing and, in fact, seems to be getting worse — the number of employees who clicked on a phishing link has increased by 77% going up from 11.2% in 2019 to 19.8% in 2020.

When it came to actually handing over credentials, the rate increased a massive 644% year-on-year, from 1.8% in 2019 to 13.4% in 2020. 

The results of the study are shocking and could urge employers to rethink the wider stance on future remote or hybrid working arrangements. 

Nearly a third of all breaches in the past year involved phishing, according to the 2019 Verizon Data Breach Investigations Report. For cyber-espionage attacks, that number jumps to 78%. And while the hand-over of sensitive information is one goal of hackers, phishing campaigns are also used to get a victim to download malware onto their devices. 

In these cases, there’s no limit to the potential damage an attack can cause to a business — as we have seen during 2020. Some of the largest ransomware attacks on organizations can be traced back to a simple, misinformed click of .zip file attachment. 

The question is, why do we keep falling for phishing attacks? 

#1 | Humans are still the weakest link

While awareness and training is improving, overall, organizations aren’t doing enough to protect their businesses. Even if we think we’d be able to spot a phishing scam, it only takes a quick lapse of judgment to fall for one. Phishing attacks are often carefully constructed to play on human psychology — for example, a false alert of suspicious activity on an account can cause such panic that the recipient may overlook tell-tale signs of a malicious email. 

During the pandemic, various societal distractions and worries gave attackers no shortage of narratives to play with, from Netflix subscriptions ending to fake coronavirus health updates. 

# 2 | Organizations aren’t doing enough

Staff awareness is one thing, but organizations also must do more to better protect themselves, including preparing for the worst. Many organizations have insufficient backup processes in the case of a ransomware attack, meaning content restoration can’t be achieved quickly across servers and devices. Many organizations don’t adequately and regularly stress-test the security of their IT networks, including running simulated phishing attacks in order to understand their security posture. 

Many organizations lack a BYOD (Bring Your Own Device) policy, meaning that, should a cybercriminal compromise an employee’s device, they will be able to gain access to sensitive data not only on that device but to leverage their access across the network.

# 3 | Cybercriminal organizations are well-funded 

Cybercriminal networks have built funds and organizations over the years, and have plenty to invest in optimizing orchestrated wide-scale attacks. 

This also allows them to expand to new attack vectors, such as social media, enabling them to circumvent growing awareness around email-based scams to catch users off-guard. Attackers are also investing in technology like AI. Last year, AI software was thought to have been used to imitate the voice of a CEO on the phone, in order to authorize the transfer of a large amount of money to a fraudulent account.

# 4 | Phishing kits make it easy

There are a growing number of tools that allow pretty much anyone, without much computing knowledge, to run their own phishing attacks. 

A phishing kit bundles phishing website resources and tools that need only be installed on a server. Once installed, all the attacker needs to do is send out emails to potential victims.

These tools and ransomware-as-a-service are attracting more amateur cybercriminals, therefore increasing the frequency of attacks, and increasing the likelihood that they will slip through the net. 

# 5 | Attacks and malware are getting more advanced 

It’s predicted that soon, given a continued increase in phishing attacks, all our connected devices will be under attack constantly as cyberattacks become harder to detect, incessant, and ever more sophisticated. 

Cybercriminals can take AI designed for legitimate use cases and adapt it to illegal schemes. Readers will be familiar with CAPTCHA, a tool that has been around for decades now in order to defend against credential stuffing by presenting non-human bots the challenge of reading distorted text. As far as a couple of years ago, however, a Google study found that machine learning-based optical character recognition (OCR) technology could solve 99.8% of these challenges. 

Organizations have to realize that just as the cyberthreat landscape is shifting, so should their response to cyberthreats. Otherwise, the organization is left vulnerable to cyberattacks, which have devastating and long-lasting consequences to both the organization itself and its clients.

Simple steps business leaders and employees alike can take, include: 

  • Checking URLs in email links before they click or enter information for spelling mistakes, as well as email addresses.
  • Keep an eye out for URL redirects, where the user is sent to a different website with an identical design.
  • If an email from a familiar source looks suspicious, email them back in a separate message to verify.
  • Avoid posting personally-identifiable data publicly on social media, including birthday, phone number, or vacation plans — all of which can be used by attackers to create a narrative or breach credentials.