A Phishing-Related Data Breach Could Be Right Around the Corner
October is Cybersecurity Awareness Month in the US. Now in its 18th year, this annual effort is spearheaded by the Cybersecurity & Infrastructure Security Agency (CISA), Cybersecurity Awareness Month aims to make everyone aware of cyberattack risks. CISA has divided the month into four weekly segments that are each dedicated to a different aspect of cybersecurity.
- Week of October 4 (Week 1): Be Cyber Smart.
- Week of October 11 (Week 2): Phight the Phish!
- Week of October 18 (Week 3): Explore. Experience. Share. (Cybersecurity Career Awareness Week)
- Week of October 25 (Week 4): Cybersecurity First
See how ransomware really works, who gets paid & what’s next in our tell-all Ransomware Exposed! DOWNLOAD IT>>
Phishing Is The Biggest Data Breach Risk
Workers are more plugged in than ever as the rise of remote and hybrid work has created an extremely email-dependent business world. More than half of all remote workers rely on email as their primary form of communication. At the same time, we’ve seen a historic increase in both phishing and data breach risk for the past two years, spawning an email security problem that impacts every business. An estimated one in four businesses had an email security breach in 2020, and one-third of these email security breaches can be traced to phishing.
The relationship between phishing and a data breach has been apparent for years. A solid 90% of incidents that end in a data breach start with a phishing email. This is reflected in the Verizon Data Breach Investigations Report 2021 (DBIR). Once again, phishing takes the crown as the top data breach threat that organizations face. This is the third year in a row that phishing has topped the chart, beating out insider acts, malware, and even human error. But it doesn’t stop there – phishing that directly caused a data breach increased by 10% in 2020 and that’s a substantial jump. The risk of phishing causing a data breach is so severe that the phishing category still tops the DBIR list even without the inclusion of ransomware, which has grown into such a behemoth that it’s earned its own category.
Solve five of the most exhausting remote and hybrid security problems fast with this handy infographic! DOWNLOAD IT>>
Phishing-Related Data Breach Facts to Remember
1 in 4 companies in a security survey reported an email-related security breach in 2021. Of these security breaches, 36% were caused by phishing attacks targeting arguably the weakest point of any security system, end-users.
- An estimated 75% of organizations in the United States were hit by a successful phishing attack that resulted in a data breach in the last 12 months
- Just under 95% of ransomware arrives at businesses via email
- Precisely targeted ransomware, typically delivered through spear phishing, has grown by 767%
- The number of data breaches that involved ransomware doubled in 2020
- Cloud data breaches, enabled by phishing, are up more than 35% in 2021 over 2020
More Email Means More Phishing (and More Phishing-Related Expenses)
This rise in phishing risk that can put a company on the path of a data breach tracks with the tremendous increase in email volume that started in March 2020, because more email coming into businesses means more phishing messages that could land in an employee inbox, and any phishing message that an employee receives has the chance of spawning a data breach. An estimated 306.4 billion emails were sent and received each day in 2020, triple the average increase of past years. That figure is expected to continue to grow steadily as companies continue to grapple with the implications of the ongoing pandemic and virus variants that could lead to long-term remote work becoming the norm. If email volume continues to trend the way that experts expect, it is estimated to reach over 376.4 billion daily messages by 2025.
Phishing costs companies a fortune every year, especially if one of the many phishing attempts employees face every day results in a cybercriminal success. The 2021 Ponemon Cost of Phishing Study shed light on the massive revenue hits that companies can suffer in the wake of a successful phishing attack. The biggest takeaway from this report is the colossal increase in the cost of a phishing attack for businesses. Researchers say that the cost of phishing attacks has almost quadrupled over the past six years, with large US companies losing an average of $14.8 million annually (or $1,500 per employee) to phishing. That’s without adding the expense of dealing with an incident investigation which costs SMBs an average of $15K.
Are you ready to fight back against cybercrime? See where 2021’s threats are coming from and what’s next. DOWNLOAD THE REPORT>>
Phishing Carries Ransomware That Can Be Used to Snatch Data
Add a side of ransomware to that phishing and it ratchets up the danger of a data breach. Data is a valuable currency on the dark web and the dark web data markets are hot. Cybercriminals can make a solid chunk of change from a ransomware attack even if the victim doesn’t pay just from selling off the data that they stole in the incident. One unlocked database can go for as much as $20,000, or up to $50 per 1,000 entry – and that database can be sold many times to different interested parties. Password lists are extremely desirable. Valuable database records typically include some personally identifying information (PII) in each entry like username, email address, full name, phone number, home address, date of birth and occasionally social security and identification numbers.
Targeted ransomware is the latest threat on the scene, up more than 700% in 2021. Savvy cybercriminals take their time designing the ideal spear phishing message to deliver targeted ransomware attacks. Bad actors won’t hesitate to make the most of the abundant information about people and businesses in dark web markets and data dumps. They can then use that information to craft slick, compelling messages that use sophisticated social engineering techniques, often featuring spoofing or brand impersonation, to entice the targeted employees or executives into clicking their way to disaster. About 65 % of active cybercriminal gangs use spear phishing as their favored method of delivery for ransomware.
Go inside the world of hackers and see how it really works with these true tales of cybercrime undercover operations! WATCH NOW>>
Phight the Phish Through Security Awareness
Phishing-related data breaches are the most common kind. That means businesses that want to reduce their chance of a data breach need to implement measures that reduce the chance of phishing incidents landing successfully. A solid grasp of email handling best practices and the threats that businesses face can help reduce risk faster than you might think. These tips for determining if something is actually a phishing email can help with that.
Clues That You Might Be Looking at a Phishing Email
Does the sender’s email address match the company they’re claiming to represent?
Pay careful attention to the spelling of the company’s name to be sure it is correct. An official email will come from a company’s official domain.
Is the subject line misspelled or weird?
A seriously misspelled or poorly worded subject line. is a hallmark of phishing. Also, proceed with caution if the subject line is full of emojis and if the subject line uses an unusual format or font.
Does it have an attachment?
Over 90% of phishing emails use an attachment to deliver their malware payload. Don’t open an attachment that you’re not expecting, even if it looks like it’s from a sender that you can trust.
Is it instructing you to take an action like reset your password?
Carefully consider the links that a message asks you to click to see if they’re going to the company’s actual domain. Fraudulent password reset requests are a staple of phishing.
Does the email say it’s from a major company but look unusual?
Beware of branded email messages that don’t quite match up to the messages that you usually receive from that company. Email cloning or spoofing is a classic phishing technique
Is the message strangely formatted with logos or colors that aren’t quite right?
This is the place where it’s easiest to see that something is amiss. If the content of the message has blatant spelling, grammar or usage errors It’s probably not legitimate. The same goes for other body elements like logos, layouts, colors, headers, footers or fonts.
Is the email about a hot topic like COVID-19?
Cybercriminals have flooded inboxes with pandemic-related scams, and they’re still going strong. Google estimates it blocks 18 million COVID-19 scam emails a day from its 1.5 billion users.
Does anything at all about the email seem off to you?
Stop interacting with any message that doesn’t pass the smell test and contact an IT administrator immediately. Even if it’s legitimate, you’re always better safe than sorry
Learn how to defeat terrifying cybersecurity monsters to keep systems & data safe in a dark world! READ IT IF YOU DARE!>>
Quality Training Lowers Risk and Saves Money
Every time an employee resists or reports a phishing message, their company dodges a bullet and a big bill. But getting a business in a position to reap rewards like that involves putting work and investment into security awareness training. Many businesses may not see the value in something as nebulous as security awareness and phishing resistance training, especially with IT departments facing major budget cuts. However, that investment in security awareness training pays off handsomely. Security awareness training has a strong ROI. On average, smaller organizations (under 1,000 employees) can enjoy an ROI of 69% from a training program. The ROI is even bigger for larger organizations (1,000+ employees) at 562%.
Unfortunately, many businesses aren’t maintaining their investment– more than half (55%) of organizations don’t provide security awareness training at the right cadence, and that damages their investment. Security awareness training isn’t a one-shot deal, as illustrated by research conducted by the Advanced Computing Systems Association (USENIX). In the study, employees received security awareness training focused on phishing identification. They were then asked to identify phishing emails at various intervals, ranging from 4-12 months after the training. The researchers learned that at 4 months after the initial training, employees were still easily able to spot phishing emails. After 6 months, though, employees began forgetting what they had learned.
Learn why ransomware is today’s nastiest threat and how to defend against it in Ransomware 101. READ IT>>
ID Agent Helps You Put the Brakes on Phishing-Related Data Breach Risk
A phishing-related data breach is an expensive nightmare that a business may never wake up from –60% of companies that are hit by a cyberattack go out of business within 6 months. ID Agent can help reduce phishing and data breach risk using smart solutions that are also a great value.
Dark Web ID – Do you suspect that a password has been successfully phished from an employee? Find out immediately when you use dark web search to find all of a company’s compromised credentials in minutes. That protection also keeps running to alert you to new credential compromise risks through 24/7/365 human and machine-powered monitoring of business and personal credentials, including domains, IP addresses and email addresses.
Passly – Make a phished password useless with secure identity and access management that gives you more for less. Multifactor authentication alone adds an extra layer of protection between hackers and your valuable data, stopping 99% of password-based cybercrime. Plus enjoy easy access to SSO applications and passwords with the ability to automatically fill in the blanks for web logins plus automated password resets.
BullPhish ID – A frequently updated library of preloaded phishing kits makes it a snap to make sure employees have been trained to resist the phishing lures they face every day. But they’ll learn about much more than just phishing including ransomware, compliance, password safety, security hygiene and more, giving every employee a solid grounding in cybersecurity pitfalls and best practices.
Let us help you get a strong phishing defense in place right away to lower data breach risk fast. Contact an ID Agent solutions expert now for a personalized demo of our award-winning solutions.
Our Partners typically realize ROI in 30 days or less. Contact us today to learn why 3,850 MSPs in 30+ countries choose to Partner with ID Agent!
Check out an on-demand video demo of BullPhish ID or Dark Web ID WATCH NOW>>
See Graphus in action in an on-demand video demo WATCH NOW>>
Book your demo of Dark Web ID, BullPhish ID, RocketCyber or Graphus now!