One in Ten Phishing Attacks Results in Data Breach

“It could never happen to me.” If you’re at all web savvy or computer literate, this is most likely how you feel about falling prey to phishing scams. Most proficient web users feel confident that they could recognise a phishing attack at 20 paces, and that only the less digitally-aware are vulnerable to such tricks and data thefts.

But according to a recent report from US based telecoms provider Verizon, as many as one in ten phishing attacks results in a data breach, which means more of us are more vulnerable to phishing than we’d care to believe. Harnessing data from the UK computer emergency response team, US secret service and the European cyber crime centre, Verizon’s report reveals that around 30% of phishing emails are opened by recipients, with around 12% clicking on attachment which can result in attacks.

The common face of phishing is an email, purporting to be from a business or organisation the recipient recognises, has interactions with or trusts. Back in May 2015, online payday loans lender Wonga South Africa elected to take out advertising space in national newspapers and embark on a huge awareness-boosting email campaign to protect their customers from phishers who were using their brand to steal personal data. Other big brands, including PayPal and DropBox have also been targets.

In the best known incarnation of a phishing attack, unwary recipients are then enticed to click on a link within the email which then takes them to a fake page, designed to look and feel like the page of the company they believe they are communicating with. This fake webpage then persuades the “phish-ee” to enter their personal details, exposing them to fraud.

But phishing, like most forms of digital fraud, is evolving. Now the technique is being used for more than stealing bank details and personal information. Today, hackers of all stripes are using phishing emails to gain access to the organisations themselves. Simply clicking a link or starting a download at work could allow hackers to gain entry to your employer’s complete network, exposing a huge amount of sensitive data, including customer details. The technique can even allow hackers to harness your organisation’s computer power to launch botnet attacks on other businesses.

Effectively, the stakes are now even higher, and the scams are becoming even more sophisticated. Unfortunately, protective technology and practices are simply not keeping up. While it can take a hacker anywhere from minutes to a couple of days to siphon data following a successful phishing attack, it typically takes organisations up to a week to detect breaches – with the majority only being uncovered after being detected by a 3^rd party (like a law enforcement agency).

While many of us are now wise to personal phishing attacks, it’s now time for us to be vigilant at work, and for organisations to start smarter education and implement stronger systems to combat the hackers.

Have you or your business fallen victim to a phishing scam? What was the outcome and what lessons did you learn? Share your experiences with other readers below.