SECURITY company Sophos has recently published its latest survey report titled "Phishing Insights, 2021", a survey that looks at the experience and understanding of what phishing is in organisations around the world in 2020.
The phishing survey polled 5,400 IT decision makers in 30 countries across Europe, the Americas, Asia-Pacific, Central Asia, the Middle East, and Africa.
"Phishing has been around for over 25 years and remains an effective cyberattack technique. One of the reasons for its success is its ability to continuously evolve and diversify, tailoring attacks to topical issues or concerns, such as the pandemic, and playing on human emotions and trust," explained Sophos' principal research scientist, Chester Wisniewski.
It is very assuring to know, from the report, cybersecurity education is not neglected in Malaysia as 97 per cent organisations in Malaysia run cybersecurity awareness programmes with their employees to address phishing.
Despite having awareness of what phishing is, 65 per cent of Malaysian respondents said that the number of phishing emails hitting their employees have increased last year. This shows that phishing attacks targeting organisations ramped up considerably during the pandemic, as millions home-working employees became a prime target for adversaries.
According to Wisniewski, some organisations tend to see phishing attacks as a relatively low-level threat, but that underestimates their power. He said phishing is often the first step in a complex, multi-stage attack and according to Sophos Rapid Response, attackers frequently use phishing emails to trick users into installing malware or sharing credentials that provide access to the corporate network.
"The team has seen first-hand how a seemingly innocuous email can ultimately lead to a multi-million-dollar ransomware attack. Cryptojacking, data - and even financial - theft are all potential outcomes after a phishing attack has opened a door for adversaries," said Wisniewski.
From the survey, 60 per cent of the respondents consider Business Email Compromise (BEC) attacks to be phishing, and more than half (55 per cent) think threadjacking (when attackers insert themselves into a legitimate email thread as part of an attack) is phishing too but the most common understanding of phishing, selected by 76 per cent of the respondents, is "emails that falsely claim to be from a legitimate organisation, usually combined with a threat or request for information."
Talking about how to stop phishing attacks, Wisniewski said that the ideal would be to prevent phishing emails from ever reaching their intended recipient. According to him, "effective email security solutions can go a long way towards achieving this, but this should be complemented by alert and primed employees who are able to spot and report suspicious messages before they get any further."
In light of the survey, Sophos believe that phishing awareness and education programmes need to consider the wide range of perceived phishing definitions and that it should include training for non-technical employees too to explain the different facets of phishing and email attacks in general.