The ICO exists to empower you through information.

56% of businesses and 62% of charities that reported having had breaches or attacks in the past 12 months, felt phishing attacks were the most disruptive types of attack that organisations face. This is according to the most recent UK government cyber security breaches survey. It also showed that the percentage of phishing attacks was on the rise. 79% of businesses identified having had a phishing attack in the last 12 months, compared to 72% in 2017.

Proofpoint’s State of the phish report revealed a higher percentage still. 91% of UK companies responding to their survey stated they had experienced at least one successful email-based phishing attack in 2022. More than a quarter of those (26%), also reported direct financial losses as result.

During the COVID-19 pandemic, the UK’s National Cyber Security Centre (NCSC), the United States Department of Homeland Security (DHS) and the Cybersecurity and Infrastructure Security Agency (CISA) published a joint advisory statement. They warned of malicious cyber actors exploiting the pandemic with related scams and phishing emails. The levels of attacks have not returned to pre-pandemic levels. The Office of National Statistics (ONS) also reported that fraudsters were targeting people by taking advantage of behavioural habits since the pandemic, such as increased online shopping.

Defending against phishing requires using technological mechanisms (such as filtering, firewalls and blocklists) in conjunction with human-centric approaches (such as cyber security awareness training around phishing).

What is phishing and how does it happen?

Phishing is when criminals use scam messages to trick people into sending sensitive information, pay money, or click on a link which contains a virus or takes you to a fraudulent website. Phishing threats affect organisations of all sizes and sectors. 34% of users did something that put themselves or their organisation at risk, such as clicking on a malicious link, according to a report from Proofpoint.

Phishing is a type of social engineering. It relies on the person believing the message originates from someone they know or an organisation they trust. Proofpoint’s report also highlighted that 44% of people think an email is safe when it contains familiar branding. However, criminals used Microsoft branding or products in over 30 million malicious messages sent in 2022.

Phishing may happen by various means, most commonly by email, text (smishing) or voice call (vishing). Most phishing attackers send high numbers of messages and expect success in relatively few cases.

Some attackers are much more targeted and use a method known as spear phishing. These attacks aim to target a specific person or organisation. These attacks are tailored to use information such as names, job roles or social media profiles to make the messages seem more relevant and believable. This is why it is important to be aware of the information you disclose online and how attackers may use it.

Business email compromise (BEC) is a scam which compromises legitimate business email accounts through social engineering, spoofing, or hacking, to conduct unauthorised transfers of funds. In more recent times, attackers have targeted savings accounts held by financial institutions, such as banks or stockbrokers, for cryptocurrency exchanges. The FBI’s 2022 Internet crime report showed BEC still accounts for 75% of attacks and $2.7 billion in losses.

Typically, the attacker sends a message designed to frighten or panic the person opening it into acting immediately. This is so they don’t have time to judge whether the message is real.

Common topics are about health scares, the threat of money losses, advising another account is compromised or time-limited ‘too good to be true’ offers. If the person takes the bait, they will download malware or be asked to provide further information, such as their banking details, usernames, and passwords.

Phishing attacks can put all your information at risk. A successful phishing attack can have serious consequences, including:

  • theft of money;
  • lost, or compromised information;
  • damage to reputation or trustworthiness;
  • identity theft; and
  • disruption to business functions.

Attackers often rely on phishing emails to get people to download the malware needed to start the attack or get access to the credentials needed to gain a foothold into the target organisation’s systems.

Usually, attackers will try and find a weak point in the target organisation’s defences. They will launch an initial attack on a regular user account. Inadequate security controls, or failure to follow the principle of least privilege, can inadvertently provide criminals with much wider access once compromised. Criminals may escalate privileges, either laterally, by taking control of additional systems, or by looking to gain administrative permissions or root access to control the entire estate.

Whilst anyone can be the victim of phishing, attackers are looking for high value returns. The FBI’s Internet crime report shows phishing has the highest number of victims, with 300,497 recorded victims in 2022. This is a year-on-year increase from 2020. Phishing is also recorded as one of the top initial infection vectors for ransomware.

Example: Phishing compromise leads to loss of personal information and a monetary penalty notice

Facts

An attacker compromised a construction company's servers including four HR databases and File Director System. The systems contained the personal information, including special category information, of up to 113,000 people. This was encrypted and rendered unavailable to the company by the attacker.

The attack

A phishing email was sent to the company's accounts team mailbox which was designed to appear as though the document required urgent review. One employee then forwarded it to another employee responsible for paying invoices. This employee opened the email, downloaded, and extracted the ZIP file linked in the email, and opened the script file. This  installed malware onto their workstation and gave the cyber-attacker access to the employee's workstation.

The employee was working from home and had access to the company's systems via a split tunnelling method. As a result, the employee who clicked on the link in the email did not go through the company's Internet Gateway system which was designed to restrict access to malicious sites.

The company's System Centre Endpoint Protection tool attempted to remove some of the files and subsequently reported that the removal of malware files had been successful. No further action was taken by the company at this time to verify that all malware had been removed. In fact, the attacker retained access to the employee's workstation.

Following this initial access, the attacker compromised a server. This was used to move laterally to other systems and resulted in the:

  • compromise of 283 systems and 16 accounts (including 12 privileged accounts) across four domains;
  • execution of a script to uninstall the company's Anti-Virus solution; and
  • encryption of personal information on four HR databases and File Director System, which together contained personal information of up to 113,000 people, including special category information.

What could have been done differently?

  • Implement supported operating systems (operating systems no longer the subject of security updates to fix known vulnerabilities can be exploited by malicious actors.)
  • Implement appropriate end-point protection.
  • Undertake adequate vulnerability scanning and penetration testing.
  • Provide appropriate staff training.
  • Update protocols.
  • Conduct an effective and timely investigation.
  • Give domain privileges only where strictly necessary and to the minimum number of users.

 

What might help reduce the risks from phishing?

Phishing attacks are common and there is no single security solution. You should put in place multiple layers of protection, so that if one fails, the others can mitigate against further damage:

  • Refer to the ‘Basic security principles’ in the previous section.
  • Be aware of how phishing attacks work and provide training to all staff to help them recognise and respond to potential attacks.
  • Foster a ‘no blame’ culture for staff to encourage reporting. The more you know, the more you can do to limit any impact and remember that your staff are your first line of defence in these instances.
  • Have a clear reporting mechanism so you are made aware of any concerns promptly. All staff need to know when and how to report, with robust processes in place to respond to potential phishing reports.
  • Enable multi-factor authentication.
  • Have clear contracts and service level agreements with any IT providers you might have outsourced specific operational or security services to, which cover expected security measures.
  • Train staff to be wary of opening emails from senders they don’t recognise, and to contact known senders by alternative methods if you are concerned.
  • Advise staff not to click on password resets in an email unless they have recently requested them. Instead, tell them to login in the usual way and change passwords from inside the system.
  • Set up anti-spoofing controls to prevent attackers being able to pretend to be from a particular organisational domain.
  • Review information in the public domain, on your websites, in news articles and across social media channels, so it doesn’t provide information which can help trick your staff or make you an easier target.

What are the likely future developments?

Phishing emails are getting increasingly sophisticated and more of them are getting through traditional perimeter detection, according to the Egress phishing report. They report a 29% rise in phishing emails getting through secure email gateways (SEGs).

Attack frameworks, such as Evilginx and phishing kits, that mirror legitimate websites, are also being sold to potential criminals. It is likely that defender’s capabilities will also develop to better identify and block these attacks. However, the speed attackers develop their own capabilities means it’s difficult for defenders to stay one step ahead.

Phishing kits incorporating anti-bot protection and QR generation will make security more difficult. The real-time ability to decide which fake page someone sees depending on their actions, will also make it hard for potential victims to spot them. Novel attacks also seek to exploit MFA fatigue to bypass current controls, or capture session cookies that render existing controls futile.

As artificial intelligence (AI) continues to develop, criminals are increasingly using large language models (LLMs), such as ChatGPT, to create phishing campaigns. The use of AI makes it less likely phishing emails will have poor grammar, bad spelling or requests which don’t make sense. This makes it virtually impossible for people to distinguish between malicious social engineering attempts and legitimate messages.

Generative AI can create faster, more effective, and larger scale cyber attacks through tailored phishing that can intelligently adapt to bypass firewalls. Artificial intelligence can also replace a person in a video for someone else (known as a deepfake video) and voice cloning. The increasing use of text-to-speech in phone calls and chatbots capable of evading existing bot detection techniques will inevitably lead to security challenges.

The ease with which artificial intelligence can be used to generate content means far fewer skills are required. This lowers the entry barrier for would-be cyber criminals to carry out effective attacks.

However, despite these issues, AI-powered security protection is also being developed to improve detection and disrupt criminals. This is due to the positive developments in effective analysis of user behaviours and email content. The general advice remains, and you should assess the risks and opportunities that these emerging technologies pose to your organisation, considering the organisational context, and deploying proportionate and layered controls and mitigations.

Relevant links

Further reading