IRONSCALES has released a new study, The Business Cost of Phishing, conducted by Osterman Research. The report quantifies the direct costs borne by organizations in mitigating phishing threats, details how the dynamics of phishing attacks are changing, and explores expectations about how phishing will change over the next 12 months.
We spoke with Ian Thomas, IRONSCALES about the report, what organizations need to consider when analyzing their phishing defenses, and how phishing attacks could evolve in 2023. Why is phishing such a challenge for organizations, even with many solutions/defenses today?
A few key reasons: 1. On the threat actor side, phishing is a low-risk and high-reward scenario. They can simply purchase a list of stolen email addresses on the dark web and launch generic attacks. Or they can do basic reconnaissance of potential victims using social media in order to craft very convincing phishing emails. Or they can send text messages purporting to be from a retailer with a link to a fake website, where they'll then harvest user credentials and move on to more nefarious activities.
On the side of those being targeted, security teams are overwhelmed with phishing attacks and an array of other attack types that they're trying to defend against, typically with a security tech stack that is stitched together with a variety of point tools that are difficult to maintain and integrate, especially when a company has a hybrid infrastructure spanning on-prem and cloud environments. Employees/end users tend to fall into two camps: 1. they are extremely busy and don't necessarily think to check on the validity of an email before clicking a link or taking some other requested action or 2. they are extremely paranoid about falling victim to a phishing email and constantly forward messages to the security team asking if the email is a phish or not, which just adds even more work to an already overstretched team.
What was most surprising about the report's findings?
At IRONSCALES, we've been talking about phishing spreading beyond email and into other collaboration and messaging tools. That's why we added the ability to protect Microsoft Teams environments earlier this year. But seeing how prolific the spread into other areas has already happened was an eye-opener for sure. In figure 11 in the report, the IT and Security practitioners who participated in this survey revealed that in addition to collaboration platforms like Microsoft Teams, phishing is now a problem across popular messaging apps, cloud-based file-sharing platforms, social media direct messages and more.
How should organizations think about the results - what action should they take?
Phishing isn't the most glamorous topic in the cyber security space and often gets overlooked or underestimated when making technology and budgeting decisions. This report should help shed light on how expensive it really is and what a huge amount of time a typical organization's security team has to spend on dealing with it rather than focusing on other areas. AI-driven email security solutions have made significant advancements in recent years, to the point where most leading vendors in this space have AI/ML solutions that can detect up to 99% of phishing attacks. But there's still that 1% that needs to be addressed, and that's the human piece. End users still need to be trained and tested on phishing, but in a way that isn't seen as an inconvenience but more as helping them to become an extended part of the company's security defenses. This combination, which we call the "human & machine" approach to email security, is really the only viable way to address today's modern phishing reality.
How do you see the phishing problem evolving in 2023?
Definitely foresee the proliferation and sophistication of phishing attacks across different communications channels continuing to get worse. We're starting to see the use of deepfake voice messages and even videos becoming sophisticated enough to trick victims into taking an action they shouldn't have. While ransomware and Business Email Compromise are both potential outcomes of a successful phishing attack, it's starting to look like threat actors are shifting their end goal from ransomware attacks to BEC attacks like invoice fraud and CEO/CFO impersonation.