While the majority of the phishing emails are generic, an increasing number now rely on impersonation tactics to trick victims. Millions are lost through emails pretending to be from colleagues, friends, or family. Attacks are notoriously difficult to spot.
Now, new research from CybSafe – a security awareness, behaviour and culture solution that reduces human cyber risk – has shone a spotlight on this effective form of phishing.
CybSafe’s research of 250 IT decision-makers at UK SMEs uncovered that 43% of these businesses have experienced a phishing attempt through impersonation of staff over the course of the last 12 months. Of these, it was discovered that two-thirds (66%) had suffered a successful impersonation attack.
Oz Alashe, CEO, CybSafe said: “Phishing is currently the dominant attack vector for entry into networks, and its popularity isn’t hard to understand. It’s easy to carry out, easy to profit from, and from the perspective of cybersecurity professionals, it’s notoriously difficult to defend against. Just one individual falling victim can be enough to give criminals the foothold required to access confidential information.
“Impersonation phishing attacks – personalised attacks which involve the impersonation of friends or family, or other members of staff – pose a particular threat. These attacks are highly convincing and have high success rates.”
Tackling these cybersecurity issues appears to be low on the business agenda, with CybSafe’s survey finding many businesses admitting that minimal action had been taken to combat impersonation phishing attacks. In fact, less than half of those featured in the research (47%) claimed to already have a cybersecurity training and awareness programme in place.
Alashe added: “Our latest research shows that, despite the severity of this threat, UK businesses are taking very little action at the moment. Of those that are doing something, many are simply paying lip-service to security training for compliance reasons, and aren’t demonstrably reducing their human cyber risk.”
As part of the same research, respondents were also asked to rank cybersecurity threats according to the level of perceived threat. Curiously, email phishing was seen as a much greater threat than phone phishing. Pitted against nine other potential threats, email phishing came in at number two (37%). By contrast, phone phishing was regarded as the least (8.8%) urgent threat to business.