Two years into the COVID-19 pandemic, organizations are continuing to face evolving, unique challenges in how they defend against phishing attacks, including workforces that rely on a tangle of different devices, disparate work landscapes and cybercriminals that are "as adept as ever."
These factors all add up to a lucrative target environment for phishing attacks, which researchers with Proofpoint said went up across the board over the past year. The report revealed that indiscriminate “bulk” phishing attacks increased 12 percent in 2021 over the previous year, while more targeted attacks like spear phishing and business email compromise were also up year-over-year, 20 percent and 18 percent, respectively.
“Along with hybrid and remote work options, organizations are mulling the best ways to keep employees connected and collaborative,” said researchers with Proofpoint in their 2022 State of the Phish report, released Tuesday. “Studies show the ongoing pandemic has had a major impact on workers’ mental health. Employees are feeling burned out, emotionally drained and distracted. Meanwhile, cyber attackers are as adept as ever. And they continue to use tactics and lures that resonate with employees and consumers alike.”
The annual report, which explores issues driven by poor cybersecurity practices and the impact of a lack of knowledge and communication around phishing threats, draws data from 3,500 working adults, as well as 600 IT security professionals, across seven countries. The report also looks at almost 100 million simulated phishing attacks and 15 million emails reported by end users.
Phishing Attacks on the Rise
According to the report, more than 80 percent of survey respondents said that their organizations suffered a successful email-based phishing attack in 2021, a 46 percent jump from 2020. Researchers said they also identified 15 million phishing messages with malware payloads that have been linked to later-stage ransomware, including Dridex, Trickbot, Emotet, Qbot and Bazaloader.
Researchers saw a “marked increase” in the abuse of Microsoft and Google infrastructures, with attackers leveraging Microsoft 365 (that includes Office apps, OneDrive and SharePoint), Microsoft Azure, Google Workspace and Firebase Storage. Beyond that, researchers also found that employee recognition of common cybersecurity terminology had decreased in 2021 from the previous year, causing concerns about how professionals are being trained when it comes to cybersecurity threats. For instance, the number of employees that correctly knew the definition of phishing (53 percent) was down 16 percent year-over-year. At the same time, more than two-thirds of respondents demonstrated a lack of understanding about the capabilities of technical email safeguards on work accounts.
“The overall decline in awareness is another area where pandemic fatigue - and its impact on workers’ engagement and attention spans - could be a factor,” said researchers. “It could also reflect a decreased prioritization of cybersecurity awareness and training initiatives during 2021. The pandemic has put many different pressures on organizations, and some may have been forced (due to lack of time, resources or other factors) to deprioritize employee education programs.”
Hybrid Workforce Woes
Companies utilizing remote or hybrid workplaces are dealing with widespread device management challenges, with employees using multiple devices, including both personal and company-owned devices, for work. Up to 74 percent of surveyed respondents said they use one or more of their own devices for work-related purposes, while 77 percent of those with employer-issued devices use them for personal purposes in some capacity, such as checking personal email, looking up products or travel destinations, shopping online or viewing social media. Researchers also found that 56 percent of employees that have a company-owned device grant access to friends or family members (up from 52 percent last year).
This mixing of personal and work devices creates a particular challenge in organizations trying to prevent phishing attacks, as it expands companies’ threat surface and adds unmanaged devices into the mix. For instance, an attacker that has compromised an employee on a personal device could gain access if the employee checks corporate email on that device. Or, an employee may click on a malicious link sent via a social media message on his corporate device.
External Wi-Fi networks pose another difficulty for security teams. Up to 40 percent of survey respondents do not password protect their home Wi-Fi networks, and only 26 percent change their network default Wi-Fi password. While many Wi-Fi-based attacks can be difficult to achieve given the need for attacker proximity, these lack of precautions can mean that many employees' home networks are as vulnerable as open-access public Wi-Fi, said researchers.
Hybrid work environments are creating security obstacles beyond the threat of phishing attacks. Researchers with Cisco Talos in a Tuesday report said that the pandemic and associated hybrid work shift haven't just introduced new challenges, but have also worsened existing security problems for organizations.
“For example, the stressed out worker that falls for the COVID-19 themed lure that leads to a ransomware attack,” said Nick Biasini, head of outreach with Cisco Talos, on Tuesday. “The development teams that are tasked with remediating vulnerabilities that lose access to key tools and resources when working remotely. Even the employee at a software vendor that doesn't have adequate security protections when outside the office, facilitating a compromise that results in a supply chain attack. These are just a few of the countless scenarios that organizations are now facing.”
Creating a Strong Security Culture
Most companies are trying to educate employees about security threats, with almost all (99 percent) of IT professionals saying that their organization has a security awareness training program. However, Proofpoint researchers said they were concerned that only 37 percent of organizations educate workers about remote work best practices (despite 81 percent of organizations saying that more than half of their employees work remotely).
Beyond security awareness training, researchers also stressed that organizations need to take a step back and look at whether they foster a security-focused culture overall. Companies should gauge employee perception of the organization’s commitment to cybersecurity, the role employees should play in protecting the company and employees' confidence level in identifying security incidents, they said.
“Assessing these factors can reveal obstacles to achieving a strong security culture,” said Proofpoint researchers. “In part, it can show where disconnects between perceptions of security teams, executive teams and employees exist.”