Phishing attacks get smarter as targets struggle to keep up

Phishing attacks are on the rise and getting more sophisticated, with embattled IT professionals reporting their organizations are more vulnerable than ever, according to a survey Ivanti released this week.

Survey respondents said the global shift to remote work was a major factor in the increased attacks. Ivanti, a Salt Lake City, Utah-based IT asset monitoring, management, and security platform provider, polled more than 1,000 enterprise IT professionals in the U.S., U.K., France, Germany, Australia, and Japan in the survey conducted by Aberdeen Strategy & Research.

Eighty percent of those polled said they had seen an increase in the number of phishing attempts targeting their organizations, and 74% said their organizations had “fallen victim to a phishing attack in the last year.” Nearly three-quarters of respondents said that IT staff themselves were the targets of phishing attempts and 47% of those staffers succumbed to the phish, Ivanti said.

Those attacks are not letting up — 40% of respondents to the Ivanti survey said they had experienced a phishing attack in the past month.

In addition to increased exposure to phishing attacks due to the rise in remote work, staffer fatigue and talent shortages have hindered IT departments, Ivanti security VP Daniel Spicer told VentureBeat.

“The attacks are also getting more sophisticated,” Spicer said. “That’s due in part to the fact that even prior to the pandemic, threat actors had targeted and were collecting entire [email] inboxes to gain a treasure trove from which to craft better, more convincing phishing emails with which to infect victims with ransomware.”

Phishing attacks seek mobile endpoints

Phishing attacks are more successful when targeting mobile endpoints instead of servers, according to the Aberdeen research. That’s made mobile data breaches more pervasive and ultimately more costly. Spicer said such breaches cost companies “a median value of about $1.7 million and a long-tail value of about $90 million.”

The bad news is that older methods of defending against phishing and ransomware aren’t as effective in the face of more targeted, sophisticated attacks, Spicer said. For example, training employees to better avoid phishing scams has had diminishing returns.

“A lot of the traditional stuff we use against phishing isn’t working as well these days,” Spicer said. “User training is not as effective against sophisticated phishing attacks. For example, hovering over a link before clicking isn’t working as well because the bad actors are better at masking bad links.”

What’s more, although training people can still be helpful, overworked IT staffers have been falling behind in such educational efforts, according to the Ivanti survey. Ninety-six percent of respondents said their organizations have programs to teach employees to avoid phishing and ransomware. But only 30% said that 80% to 90% of their employees had completed the training.

Spicer also pointed to the arms race between phishers and cybersecurity professionals, saying it’s difficult for the latter to gain a lasting advantage.

“In terms of technology, we can use machine-learning models to better detect phishing. But the threat actors have those same tools, and they also can leverage large amounts of data from inbox theft to craft better phishing emails,” he said.

So what does work against the bad actors? Spicer said organizations are increasingly turning to zero-trust security frameworks, where users of organizational IT assets are required to constantly and repeatedly verify their credentials to access networks, apps, and data.