Email phishing campaigns are one of the favoured tools of cyber attackers these days. But employees need to also be trained to watch for voice and SMS-based phishing attacks because they are increasing, according to a new report.
In security vendor Proofpoint’s annual State of the Phish report, 49 per cent of infosec pros surveyed said their organizations had experienced vishing (voice phising) and or smishing (SMS/text) attacks last year. That was an increase from 45 per cent in 2017.
Of the 49 per cent of respondents who said they experienced vishing and smishing, half dealt only with vishing attacks, 12 per cent saw just smishing, and 38 per cent experienced both types of attacks.
This was just one of the many numbers in the report, based on an analysis of data from tens of millions of simulated phishing emails sent to Proofpoint customers and quarterly surveys filled in by infosec professionals, which was released Thursday.
“Smishing should be of particular concern given the wide use of smart devices and the increased adoption of BYOD (bring your own device) policies,” the report says.
Yet simulated smishing campaigns are not commonly used by Proofpoint customers, it adds. That’s not good because average failure rates among firms that do smishing tests are similar to those for phishing: Seven per cent of users clicked links sent to them via text message during Proofpoint’s measurement period.
As a result organizations should consider how they are assessing their susceptibility to these threats and how users are being educated to spot and avoid them.
“Email is the top cyber attack vector, and today’s cybercriminals are persistently targeting high-value individuals who have privileged access or handle sensitive data within an organization,” Joe Ferrara, Proofpoint’s general manager of security awareness training said in a statement. “As these threats grow in scope and sophistication, it is critical that organizations prioritize security awareness training to educate employees about cybersecurity best practices and establish a people-centric strategy to defend against threat actors’ unwavering focus on compromising end users.”
Among other findings
–companies have a choice in testing of sending general or tailored messages. Any kind of personalization led to higher failure rates than the nine per cent average. In particular, redisplaying email addresses inside of phishing tests seemed to lend a greater credibility to messages, subsequently elevating the likelihood of end-user interactions.
This is important because last year the amount of real spear phishing increased to 64 per cent from 53 per cent;
–Credential compromise has increased 70 percent since 2017, surpassing malware infections to become the most common phishing attack impact in 2018. Respondents reporting phishing attacks, that resulted in data loss, more than tripled between 2016 and 2018,underscoring the growing phishing threat and impact from such attacks.
–companies have a choice between using a carrot or stick when it comes to dealing with those who regularly fail phishing tests. Compared to 2017, firms seem to be easing off on negative reinforcement, including fines.
–Seventy-six per cent of respondents said their response is counselling from a manager, up from 74 per cent in the previous survey. Only two per cent said they levy a monetary penalty, down from five per cent in 2017.
Want to know what messages your staff is likely to fall for? Here are the top six subject lines that last year got the highest failure rates in phishing test campaigns sent to a minimum of 1,500 recipients:
— Toll Violation Notification
–[EXTERNAL]: Your Unclaimed Property
–Updated Building Evacuation Plan (also among the highest failure rates in 2017)
–Invoice Payment Required
–February 2018 – Updated Org Chart
–Urgent Attention (a notification requesting an email password change)
To best take advantage of increasing phishing awareness, adds the report, organizations should make it easy for end users to report suspicious messages and make it easy for response teams to take action.
“Organizations must consistently win daily battles in order to have a shot at being victorious in the war against cybercrime,” the report concludes.
“Like it or not, end users play a significant role in those battles. When phishing attacks slip through network perimeters, people become the last line of defense. End users should not be left unarmed when they find themselves at these binary decision points: Should I or shouldn’t I click this link … download this attachment … respond to this request for sensitive information? Those moments count.
“Security awareness training provides an opportunity for organizations to be present in those moments. Effective education and learned skills can become the “whispers” in your end users’ ears, guiding them to make the right choices.”
The full report can be downloaded here. Registration required.