25 years later, phishing attacks are the cybercrime that keep on giving

• Phishing attacks have been successful at continuously evolving and diversifying, tailoring attacks to topical issues or concerns like the pandemic
• Kaspersky said from March 2020 to July 2021, it’s software had prevented over a million user attempts to visit such phishing websites
• The government sector lags behind when it comes to running cybersecurity awareness programs to address phishing

Phishing scams are commonplace today, but that wasn’t always the case.  The earliest phishing attacks transpired around 25 years ago, and today it is one of the most vicious and dangerous threats to businesses — regardless of whether it hits large corporations, a small business, or something in-between.

The most successful phishing attacks often involve a combination of different social engineering tactics and can involve the impersonation of CEOs or company executives, government organizations, charities, vendors, and business partners. Phishing can be a costly cybercrime for organizations, causing financial losses due to fraud, and wreaking havoc indirectly as it is the primary attack vector for ransomware.

While phishing has been around for a quarter of a century, it remains an effective cyberattack technique primarily because it continues to evolve. British security firm Sophos, in its recent 2021 Phishing Insight report, noted that “adversaries are quick to identify new phishing opportunities – of which the pandemic provided many – and develop new tactics and techniques”.

Pandemic – The peak of phishing attacks

According to cybersecurity firm Kaspersky, since the beginning of the Covid-19 pandemic, over 5,000 pandemic-related phishing websites have surfaced, designed to steal users’ credentials via fake payment offers and discounted Covid tests, among others.

From March 2020 to July 2021, Kaspersky prevented over a million user attempts to visit such phishing websites with its software, the firm reported. Recently, even phishing ads for fake QR codes and vaccination certificates for restaurants and public events have become popular. The increase in the number of phishing attacks related to Covid tests and vaccinations shows how cybercriminals are always looking out for opportunities to plan their attacks and are in sync with the current trends that may help them gain greater attention from their potential victims.

How are firms dealing with phishing attacks?

Sophos report that surveyed 5,400 IT professionals at the IT frontline around the globe, found that phishing means different things to different people. The most common understanding of phishing (57%) is emails that falsely claim to be from a legitimate organization, usually combined with a threat or request for information.

The survey interestingly revealed that the government sector lags behind when it comes to running cybersecurity awareness programs to address phishing, with the two bottom spots taken by local government (69%) and central government (83%). “This is concerning, as government organizations are frequent targets for high impact cyberattacks: central government is most likely to experience extortion-style ransomware attacks, while local government is most likely to have their data encrypted in a ransomware attack,” said Sophos.

As anticipated, 70% of survey respondents reported an increase in phishing attacks on their organization since the start of the pandemic. The good news is, 90% of organizations have implemented a cyber awareness program to address phishing, with an additional 6% planning to set one up. Even phishing awareness programs are well established, with almost two-thirds (65%) of phishing awareness programs being implemented between one and three years ago, reflecting organizations’ response to the rise of phishing threats over the last five years.

Sophos principal research scientist Chester Wisniewski concluded by suggesting organizations should attempt to prevent phishing emails from ever reaching their intended recipient. “Effective email security solutions can go a long way towards achieving this, but this should be complemented by alert and primed employees who are able to spot and report suspicious messages before they get any further,” he said.