According to the Anti-Phishing Working Group (APWG), an international coalition of counter-cybercrime responders, phishing attacks climbed to a new record high in 2022. The APWG Report analyzes phishing attacks and other identity theft techniques, as reported by its member companies and research partners. By drawing from the research, APWG measures identity theft methods, evolution, proliferation, and propagation.
AWPG Phishing Activity Trends Q2 2022
- 1,097,811 total phishing attacks were observed in the second quarter of 2022, a new record up from 1,025,968 in Q1.
- The average amount requested was $109,467, up from $91,436 in Q1.
- The healthcare and transportation industries suffered a 47% increase in ransomware attacks from Q1 to Q2 2022.
- There has been an increase in mobile phone-based fraud, with smishing and vishing.
The number of phishing attacks reported to APWG has quadrupled since early 2020, when there were between 68,000 and 94,000 attacks per month. The most frequently attacked industry was the financial sector, which includes banks, accounting for 27.6%.
What is Phishing?
Phishing is a social engineering crime to steal personal identity data and financial account credentials. Phishing schemes prey on unwary victims by fooling them into believing they are dealing with a trusted, legitimate party, leading them to counterfeit Web sites that trick them into divulging sensitive data including credentials. Additionally, this sensitive data can become available on the dark web, available to attackers using Open-Source Intelligence (OSINT) techniques. Credentials found through OSINT can then be used to attack your network.
Mitigating Phishing Threats
There's no magic bullet to help protect you against all phishing attacks. But a combination of software, skepticism and common sense will go a long way. To prevent Internet phishing, users should know how cybercriminals do this and be aware of anti-phishing techniques to protect themselves from becoming victims.
In 2022 mature organizations provide cybersecurity awareness training for their employees. Particularly when it comes to phishing, cybersecurity is everyone's job.
Tips from OWASP to avoid Phishing:
- Do not reveal any sensitive information.
- Pay attention to the URLs included in emails.
- Use the latest version of web browsers.
- If you suspect an email could be legitimate, verify it by contacting the company by phone.
- Do not install programs or download files sent as attachments in emails from unknown senders.
- Always discard pop-up screens and never enter information using them.
- Keep your antivirus software up-to-date and activated.
According to the security awareness training organization KnowBe4, over 90% of data breaches start with a phishing attack. So, are your employees susceptible to phishing attacks? You can find out by deploying phishing security tests and comparing results against industry benchmarks.
Build a Holistic Cybersecurity, Privacy and Compliance Program
Of course, security awareness training and phishing avoidance tactics are only part of a resilient defense-in-depth strategy. Cybersecurity and privacy risks remain among the top threats facing business organizations today. Increasingly, boards are holding information security leaders accountable for return on security investments. This accountability demands a more sophisticated approach to risk management. The goal is to manage business risk using an efficient methodical process.
What is Risk Management, and Why is it Important?
Risk management identifies, evaluates, and prioritizes risks such as phishing based on the probability and impact of incidents. Risk management, especially cybersecurity and privacy, is a critical concern for shareholders and other stakeholders including sales teams, investors, customers and staff.
Cybersecurity is a Strategic Business Enabler
Cybersecurity is not just an IT issue but a strategic business enabler. Effective organizational cybersecurity contributes to new opportunities to create value. In addition, organizations win trust and accelerate sales by demonstrating their ability to execute cybersecurity and privacy best practices.
At Truvantis, we also have a three-pronged approach to building and maintaining information systems for cybersecurity, privacy and compliance:
- Conduct a formal risk assessment, including using cyber-threat intelligence for an attack surface analysis. - Determine where you are positioned concerning the threat landscape, budget, and risk appetite.
- Implement policies and controls leveraging standards-based frameworks. (e.g., HITRUST CSF, SOC 2, CIS Controls, ISO 27001, PCI-DSS, NIST CSF)
- Pentest your security and response systems.
Truvantis is a governance, risk management and compliance consulting organization. We specialize in helping our clients by implementing, operating, auditing and testing information security programs that work – balancing budget with organizational risk appetite. Contact us today to speak with a cybersecurity, privacy and compliance expert.