Phishing remains the attack vector of choice for cybercriminals, with 23,000 incidents per organization annually, according to a new survey. Organizations spend on average $4.3 million per year to investigate phishing incidents.
Attacks leveraging account takeover (ATO) now comprise 20 percent of advanced email attacks, according to Agari’s Q1 2019 Email Fraud & Identity Deception Trends report. In an ATO attack, compromised accounts look legitimate to email filters and end users alike because they are sent from a real person’s email account. ATO attacks also target high-profile employees (i.e. CFOs) and open the door to fraud to increase illicit profits.
Impersonation was the most common attack vector in Q4 2018. It was used in half of all advanced email attacks, with Microsoft impersonated in 70% of them. Attackers also often posed as Amazon, the Internal Revenue Service (IRS), FedEx or Netflix.
“Microsoft is a common target for credential phishing because Office 365 accounts can be used in subsequent ATO attacks,” according to the report.
33% of advanced email attacks against C-level employees use display name deception that impersonates an individual, a common tactic in business email compromise (BEC). The IRS was impersonated in about one in 10 attacks. Criminals use phishing emails and social engineering to request a corporation’s W-2 files, which contain Social Security numbers, salaries and other confidential data that can be used to commit tax fraud or identity theft.
Employees report on average 23,053 phishing incidents per year, but researchers are careful to point out that half of them are typically false positive reports. The toll is still substantial, though. Responding to a phishing incident takes around six hours and costs average $253 per incident. That translates into more than $4.3 million per year in Security Operations Center (SOC) costs to triage, investigate and remediate phishing incidents, researchers said.