Damon Poeter* says a recent survey has revealed how widespread and sophisticated phishing attacks are becoming.
Phishing attacks are on the rise and getting more sophisticated, with embattled IT professionals reporting their organisations are more vulnerable than ever, according to a survey Ivanti released this week.
Survey respondents said the global shift to remote work was a major factor in the increased attacks.
Ivanti, a Salt Lake City, Utah-based IT asset monitoring, management, and security platform provider, polled more than 1,000 enterprise IT professionals in the U.S., U.K., France, Germany, Australia, and Japan in the survey conducted by Aberdeen Strategy & Research.
Eighty per cent of those polled said they had seen an increase in the number of phishing attempts targeting their organisations, and 74 per cent said their organisations had “fallen victim to a phishing attack in the last year.”
Nearly three-quarters of respondents said that IT staff themselves were the targets of phishing attempts and 47 per cent of those staffers succumbed to the phish, Ivanti said.
Those attacks are not letting up — 40 per cent of respondents to the Ivanti survey said they had experienced a phishing attack in the past month.
In addition to increased exposure to phishing attacks due to the rise in remote work, staffer fatigue and talent shortages have hindered IT departments, Ivanti security VP Daniel Spicer told VentureBeat.
“The attacks are also getting more sophisticated,” Spicer said.
“That’s due in part to the fact that even prior to the pandemic, threat actors had targeted and were collecting entire [email] inboxes to gain a treasure trove from which to craft better, more convincing phishing emails with which to infect victims with ransomware.”
Phishing attacks seek mobile endpoints
Phishing attacks are more successful when targeting mobile endpoints instead of servers, according to the Aberdeen research.
That’s made mobile data breaches more pervasive and ultimately more costly.
Spicer said such breaches cost companies “a median value of about $1.7 million and a long-tail value of about $90 million.”
The bad news is that older methods of defending against phishing and ransomware aren’t as effective in the face of more targeted, sophisticated attacks, Spicer said.
For example, training employees to better avoid phishing scams has had diminishing returns.
“A lot of the traditional stuff we use against phishing isn’t working as well these days,” Spicer said.
“User training is not as effective against sophisticated phishing attacks.
“For example, hovering over a link before clicking isn’t working as well because the bad actors are better at masking bad links.”
What’s more, although training people can still be helpful, overworked IT staffers have been falling behind in such educational efforts, according to the Ivanti survey.
Ninety-six per cent of respondents said their organisations have programs to teach employees to avoid phishing and ransomware.
But only 30 per cent said that 80 per cent to 90 per cent of their employees had completed the training.
Spicer also pointed to the arms race between phishers and cybersecurity professionals, saying it’s difficult for the latter to gain a lasting advantage.
“In terms of technology, we can use machine-learning models to better detect phishing.
“But the threat actors have those same tools, and they also can leverage large amounts of data from inbox theft to craft better phishing emails,” he said.
So what does work against the bad actors?
Spicer said organisations are increasingly turning to zero-trust security frameworks, where users of organisational IT assets are required to constantly and repeatedly verify their credentials to access networks, apps, and data.
*Damon Poeter is a contributor at VentureBeat.
This article first appeared at venturebeat.com