Phishing is still by far the most popular attack vector out there. Not only that, but its popularity among the cybercriminal community is growing by the day.
This is according to “Phishing threats report”, a new paper just published by Cloudflare. After analyzing more than 279 million detected email threats, 250 million malicious messages, and more than a billion of brand impersonations, Cloudflare found that phishing is the initial attack vector for nine in ten cyberattacks.
As a result, businesses lose more than $50 billion every year.
Two key objectives
When it comes to phishing, cybercriminals are focused on two objectives: to achieve authenticity, and to get victims to click. The goal to achieve authenticity was underscored by the uptick in identity deception threats, which saw an increase from 10.3% to 14.2% year-on-year. That equals 39.6 million total detections.
Furthermore, Cloudflare’s researchers witnessed attackers impersonating over 1,000 different organizations, in more than a billion brand spoofing attempts. Most of the time (63.3%), the attackers tried to ape the same brands. The researchers identified the top 30 most popular brands, which included big names like Microsoft, Google, and Salesforce (all highly trusted organizations).
Finally, almost all (89%) unwanted messages squeezed through SPF, DKIM, or DMARC authentication checks. “Attackers’ efforts to achieve legitimacy in the eyes of their victims have proven successful, as we have seen email authentication failing to stop threats,” the researchers concluded.
When it comes to the second goal, Cloudflare says users are more susceptible to the click “as an authentic form of communications.” Apparently, hackers know it’s easier for victims to click a link, rather than download a file. Hence, malicious links were the number one threat category, taking up more than a third (35.6%) of all detected threats.
In almost all phishing attacks, the email will have a sense of urgency to it, forcing victims to react before taking the time to think their actions through. Given that most firms will not require urgent action in the majority of cases, a company asking for something to be done immediately can be considered a red flag.