Posted on January 18, 2023
Phishing attacks are continuing to rise, reaching record levels in 2022. By some reports, over 3 billion phishing emails are sent worldwide, every single day. And it’s not just the quantity that is increasing. The appeals, as a whole, are becoming more sophisticated and more effective, and are being delivered by more diverse channels than ever before.
“Classic” phishing is an attack that is initiated with an email that includes either an attached infected file or a link to a malicious website. The website, in turn, may contain malware or be spoofed to resemble a legitimate website and is designed to harvest credentials from unsuspecting users. The emails, too, are often designed to look like they are from a well-known company, like Microsoft, Zoom or a government agency and include urgent messages designed to convince recipients to take action.
Today, classic phishing attacks have been updated and sometimes surpassed in effectiveness by a handful of other types of phishing. These include:
Clever cybercriminals continually devise variations on the phishing theme, spinning up new ways to fool unwary users.
Anyone who uses the internet, especially for work, has heard warnings about phishing. Many phishing emails are so obviously spam and are so poorly written that even unsophisticated users will identify them as dangerous and won’t click.
Billions of phishing emails are sent every day. Microsoft alone claims to detect and block 710 million each week. Despite this huge weeding-out, an estimated 1 in 5 phishing emails bypassed Microsoft defenses in 2022 and reached workers’ inboxes – and at the largest organizations, by one estimate, the bypass figure for Microsoft Defender exceeds 50%.
According to one training vendor, just under one-third (32.4%) of an average company’s users are at risk of clicking on a phishing email that they receive. A typical untrained user will continue to click through to an infected attachment or link about 25% of the time, once they’ve opened the email. The vendor that gathered these statistics claims to bring that rate down to just 3.9% with intensive, ongoing, year-round training.
A 90% improvement sounds impressive, right? But consider what it really means for your organization.
Here’s the math:
According to best estimates, of the 126 emails an average business user receives each day, 1.6% contain malware or phishing links. This means that an average business user who receives 120 emails per day is exposed to 10 phishing emails each week and 520 annually (phishers do not take two weeks of vacation.) A company of 1,000 employees will be exposed to 520,000 phishing emails a year. If users click “only” 3.9% of the phishing emails that they receive, we’re talking about well over 20,000 clicks on malicious emails every year for an average business.
Yet all it takes is one single click-through on a phishing email to expose your company to a potentially catastrophic cyberattack.
Clearly, relying on anti-phishing user training to protect your digital assets is a recipe for failure. Instead of trying to train the most vulnerable elements in your defensive arsenal to be vulnerable only 4% of the time, shouldn’t you aim to protect them – and your business – all of the time?
With a Zero Trust approach to cybersecurity every website, every email, every user, is considered potentially hazardous unless verified as safe. By deploying technologies such as Remote Browser Isolation (RBI) with read-only access for unknown sites, and Content Disarm and Reconstruction (CDR) to protect against malicious attachments, you can achieve far better protection than through user training, and much more efficiently.
RBI protects against infected websites by opening all websites in an isolated container in the cloud, where malware cannot reach the company network or resources by way of the user’s device. CDR protects against infected file attachments by disabling any malicious active elements in attachments before they are delivered to the user, while leaving desired functionality intact.
There is a place for user training, but it should be focused on alternative attack vectors such as vishing. People need to know not to disclose sensitive information to unknown callers, and not to follow instructions from strangers – just like their parents taught them as kids.
But for protection against infected emails and websites, it’s far better to rely on Zero Trust technology than on user training.
Contact us to learn how ZTEdge can makes it easy for your business to streamline user access and productivity while upping your security game.
Air Gapping Your Way to Cyber Safety
Physically air gapping enterprise networks from the web is a great way to protect operations, keep data safe … and squelch productivity. Virtual air gapping is a better approach.
Motion Picture Association Updates Cybersecurity Best Practices
The MPA recently revised its content security best practices to address, among other challenges, the issue of data protection in the cloud computing age.
FTC Issues Cybersecurity Warning for QR Codes
QR codes on ads are a simple way to grab potential customers before they move on. No wonder cybercriminals are using QR codes, too.