Verizon's 2016 Data Breach Investigations Report (DBIR) reveals that phishing continues to trend upward and to be incorporated into a variety of attacks.
This year's report (available for download here) drew upon a final dataset of 64,199 security incidents and 2,260 data breaches to highlight new patterns, steady trends, and interesting tidbits in the evolving digital threat landscape.
Over 90 percent of the breaches included in the DBIR fit into one of nine classification patterns: web app attacks, POS intrusions, miscellaneous errors, privilege misuse, cyber-espionage, payment card skimmers, physical theft/loss, crimeware, denial of service, and "everything else."
Across each of those categories, certain topics maintained a consistent presence. Phishing was one such issue.
"Phishing has continued to trend upward… and is found in the most opportunistic attacks as well as the sophisticated nation state tomfoolery," the DBIR explains.
Phishing is one of the most common types of social engineering by which an attacker lures a recipient into clicking on an attachment or URL in some piece of malicious correspondence. It has been around for years, but according to Verizon's report, employees continue to struggle with identifying an attack email.
There were 9,576 phishing incidents recorded in this year's DBIR, 916 of which confirmed at least some data disclosure. In 30 percent of those incidents, the phishing messages were opened by the target across all campaigns.
They did not waste much time in doing so, either. It took a recipient an average of one minute 40 seconds to open the email and three minutes 45 seconds to click on the malicious attachment.
To be fair, phishing attacks are becoming more sophisticated each year. That evolution is in part due to the types of actors who are predominantly behind phishing campaigns.
"…[T]he main perpetrators for these types of attacks are organized crime syndicates (89%) and state-affiliated Actors (9%) who can put some thought into the ruse they use…," the DBIR observes.
Verizon feels its phishing dataset trended towards organized crime as a result of Dridex campaigns and not because nation-state actors had a "crisis of conscience."
Finally, Verizon found that in 91 percent of the incidents attackers stole the target's credentials, though they did make off with organizations' trade secrets in some of the cases, as well.
To protect against phishing attacks, Verizon recommends that enterprises implement email filtering, segment the network and integrate secure authentication procedures to limit the impact of a successful phish should it occur, monitor the network for signs of data exfiltration, and conduct ongoing employee security awareness training on how to spot a phish.
Some organizations might decide to implement their own simulated phishing training, but that takes time and money. It's cheaper and quicker to go with a product that has been tested and that can easily be incorporated into an organization's existing Learning Management System (LMS).