The Attack Vector to Worry About.

What is the most effective method of exploiting vulnerabilities in cybersecurity? The answer to that question has been the same for years, and most cybersecurity practitioners expect it to retain the #1 spot for years to come.

The answer is… Phishing and its various forms, including Spear Phishing, Whaling, Vishing, Smishing, and Pharming

What is “Phishing and its various forms?”

  • Phishing – sending emails purporting to be from a known or reputable sender in order to induce the recipient to reveal personal information.

  • Spear Phishing – targeted phishing attack, often after extensive reconnaissance of the target.

  • Whaling – spear phishing attack targeting a high profile target.

  • Vishing – voicemail purporting to be from a known or reputable sender in order to induce the recipient to reveal personal information.

  • Smishing – sending texts purporting to be from a known or reputable sender in order to induce the recipient to reveal personal information.

  • Pharming – directing victims to a website that appears to be legitimate in order to induce the victim to reveal personal information.

 

According to the 2021 IC3 Annual Report,¹

Phishing was the largest attack vector and nearly four times second place:

Phishing, Vishing, Smishing, and Pharming

41.74%

Non-Payment

10.62%

Breach

6.68%

ID Theft

6.65%

All Others (COMBINED!)

34.31%

0%
Attacks caused by Phishing, in 2021.
$0
Losses in USD during 2021 Due to Phishing

Those number are from the FBI’s IC3 and reflect reported crime based in the United States. Phishing is also the number on attack vector in the United Kingdom.

When we talk about attack vector, we are talking about how the bad actor initiated the crime against the victim. This could be referred to as the “root cause” of the crime, as it is the first step in the chain of actions taken by the bad actor. The numbers above represent the number of phishing attacks and financial losses directly caused by phishing and its various forms. However, phishing and its various forms may be part of an attack chain used to perpetrate a number of different crimes. Phishing could be deployed, and perhaps be the root cause for:

  • Gift Card Scams – Growing in popularity is the Smishing scam requesting gift cards to be purchased for someone purporting to be a senior leader.
  • Ransomware – Phishing, Remote Desktop Protocol (RDP) exploitation, and software vulnerabilities round out the top three techniques used to infect victims with ransomware. Ransomware, separately, accounted for losses of $49,207,908 USD in 2021.
  • Crypto Mining – An alternative to ransomware, some bad actors are using their success in phishing to install crypto mining software on a victim’s computers.
  • Business Email Compromise (BEC) – Bad actors may achieve success in victimizing via phishing and use that success to initiate a BEC scam. This type of crime is currently the most financially successful cybercrime, accounting for losses of $2,395,953,296 USD in 2021.

How to Protect Against Phishing

To protect your company (and yourself!) from phishing attacks:

  • Security Awareness Training – Training is the most effective prevention against phishing and its variants. It’s almost impossible to predict all the ways a bad actor could deploy a phishing attack. You and your employees need to be aware of the threat and be vigilant.

  • Phishing Exercises – Several vendors provide training platforms that simulate phishing emails to test users. Metrics help security teams determine the effectiveness of their security awareness training.
  • Tabletop Exercises (TTX) – Tabletops can use phishing in the scenario to help security teams prepare their incident response tactics.
  • Alerts – Reminding employees to be vigilant during high risk periods:

    • Spring – tax fraud scams
    • Summer – vacation and award scams
    • Fall – shopping scams, including Black Friday
    • Winter – holiday scams, including donations and bogus shipping

Encourage Your Teammates to Take It Home!

Everyday folks can be targeted by phishing scams just as much as employees of large corporations. While there is a lot of information available online, not everyone is educated to the dangers posed by bad actors deploying phishing scams. If you are a security practitioner at a company, encourage your employees to take the lessons they learn in company-provided security awareness training home to their friends and family.

¹ This post was updated on 04/10/2022 to reflect numbers for calendar year 2021.

The top attack vector, phishing.

SECURITY

SETS YOU FREE.