A form of social engineering, phishing is an online situation where the adversary tricks the victim into sharing sensitive information or installing a malware payload into their systems.
Today, phishing is the most prevalent cybersecurity threat in the digital world, with the victim count totaling well over 323,000 unsuspecting Internet users. That’s a 34% increase year over year — and that’s why we’re taking a look at this concerning trend here.
How phishing works
Phishing is all about trickery. The adversary impersonates a legitimate entity — an individual or an organization, often a financial institution — in order to convinces the user into taking the desired actions. (The name, of course, comes from fishing: the attacker throws out some bait and sees who will respond.)
Phishing attempts are typically aimed at unsuspecting users without much context about the targets, yet the victims fall prey to phishing attempts due to oversight and lack of security awareness.
An example of phishing may be an email from someone impersonating a large social media platform alerting the target to reset password citing a security risk such as unauthorized login attempt. When the target follows the instructions on the phishing email and shares the current password, this information is captured by the adversary.
What about spear phishing?
Another form of phishing that is aimed at a targeted audience is called Spear Phishing. This attack adds context, making it more convincing to the target to fall prey. An example of spear-phishing may be an email purporting to be from the target’s organization asking to reset passwords, which can help convince the victim to engage.
(Read our entire guide to spear phishing: seeing and stopping these attacks.)
Reasons for phishing
The earliest attempts of phishing emerged in 1996 when hackers lured AOL users into sharing sensitive personal information.
The bad actors used a variety of bait tactics that caused urgency among the targeted victims to click on malicious links and share their personal information online. This information was then sold among the hackers to gain access to a victim’s account and lock them out — in exchange for financial compensation. Back then, phishing was usually motivated by…
- Financial gain. Victims were tricked into paying to regain access to their social media account; hackers would sell victim information among other hackers for monetary gains.
- Identity stealing. Using a victim’s social media account to bait their contacts into sending money or purchasing products online using a compromised account.
- Notoriety. The hacker culture was real and thriving. Any hobbyist with a stolen account would brag about their notorious achievements in their communities.
2023 phishing trends
Today, the practice has emerged as one of the most prominent practices in the cybercrime ecosystem that is motivated solely by financial gains. Take a look at the following latest phishing stats:
- Origin story. 36% of all security breaches begin with a phishing attack.
- The vast majority. Over 80% of all business organizations globally have reported phishing attempts that target their employees.
- Not one-and-done. Phishing attacks are not one-time-only security incidents. The costliest phishing attack compromised thousands of emails and caused a financial loss of $1.8 billion — despite 20,000 complaints registered to the service providers.
- How many emails? 3.4 billion phishing emails are sent every day. Most of these emails are automated and aimed at a large audience without much context.
- Warnings. In 2023 alone, 33 million data records are expected to be compromised due to phishing attacks.
Where are the attacks coming from?
Early on, many phishing attacks were sourced to Nigeria. These attacks were known as 419 scams, due to their fraud designation in the Nigerian criminal code.
Today, phishing attacks originate anywhere. Because of the ease and availability of phishing toolkits, even hackers with minimal technical skills can launch phishing campaigns. The people behind these campaigns run the gamut from individual hackers to organized cybercriminals.
(Cybercrime as a service enables more cyberattacks, if you’re willing to pay for it.)
Key challenges for individuals & organizations
From a macro perspective, defending against phishing attempts has been a major challenge for both enterprise organizations as well as Internet users adequately aware of the security threat. Users are frequently informed and educated on improving their security awareness. Technology companies embed security features into their systems.
Yet, somehow, social engineering remains successful in compromising the human element. This comes down to the following key challenges:
The average internet user
Internet users who are less tech savvy tend to resist learning or acknowledging the threat. Instead of taking a critical approach against phishing emails that seem too good to be true, they simply try their luck, click links, download attachments — and see no harm. And how could they?
Malware installations are invisible, slipping under the antivirus radar and taking effect in stealth mode. Websites that steal user information are incredibly deceptive and effectively impersonate a legitimate business.
(Get more info about malware.)
The human factor
Security mechanisms such as authentication and security alerts still rely on human behavior and knowledge. If the phishing attempt can trick users into sharing sensitive login and authentication credentials, adversaries can use this knowledge to pass authentication tests as legitimate users.
Security policies and flexibility
Business organizations must be flexible when enforcing security policies:
- Tight governance protocols mean that users have limited flexibility into accessing the network and sharing data, which may be critical for their routine jobs.
- Make the access control rules too flexible, and anyone with employee login credentials or rogue internal users can leak sensitive business information.
Without an optimal plan to manage identity and access controls, any user with sufficient access privileges falling prey to a phishing attempt can cause significant damage to the organization. However, finding that optimal state is no simple task.
Protecting against phishing
So how do you protect against phishing? The answer to this question lies in resolving the very challenges responsible for effective phishing attempts:
- Improve security awareness among Internet users with mandatory training and education programs.
- Use security mechanisms that rely on foolproof multifactor authentication systems.
- Adopt security governance policies based on the unique needs of your users and security threats facing your organization.
Check out expert research, like Monitoring for Phishing Payloads and GSuite Phishing Attacks, from the Splunk Threat Research Team.
Splunk supports enterprise security
The right cybersecurity strategy can help you can stay ahead of phishing attempts. See how Splunk can help support these efforts and strengthen your digital resilience.
What is Splunk?
This posting does not necessarily represent Splunk's position, strategies or opinion.