- Phishing attacks exploded in 2018, with hackers leveraging the attacks in hopes to score the credentials from their victims, according to a new report from Proofpoint researchers.
Compromising credentials as the goal of phishing attacks increased more than 70 percent in 2018, which surpassed malware infections, the report found. About 65 percent of infosec professionals experienced compromised accounts from these attacks, up from 38 percent in 2017.
Malware attacks stayed even at 49 percent in both 2017 and 2018, while credential phishing tripled between the second and third quarters of 2018. Researchers said this is a “dangerous trend given the serious ramifications of a successful credential compromise attack… This is of particular concern given that multiple services often sit behind a single password.”
The researchers analyzed data from millions of simulated phishing emails sent between October 2018 and September 2018, along with surveying 15,000 infosec professional from around the world. The report found that 83 percent of respondents were targeted by phishing attacks last year, up from 73 percent in 2017.
For healthcare, those numbers aren’t shocking given the near-daily breach notifications sent by providers, including New York Oncology Hematology – where 15 employees were duped by a targeted phishing campaign that breached the data of 128,000 employees and patients.
“Across the board, infosec professionals identified a more active social engineering landscape in 2018,” the report authors wrote. “The vast majority—96%—said the rate of phishing attacks either increased or stayed consistent throughout the year.”
“More respondents said they experienced attacks during 2018 than in 2017,” they added. “Phishing and spear phishing saw the biggest increases, but all types of attacks happened more frequently than in 2017.”
The most common phishing attack used links to lure users to a page to enter their personal information, the researchers explained. In fact, 69 percent of phishing attacks use a link. Just 17 percent used a direct data entry form and 14 percent leverage attachments.
As for the successful attacks, those phishing attempts that notified the user of toll violations, updated building evacuation plans, email password changes, and invoice payments were most effective.
Also notable, healthcare was not the worst industry when it came to average failure rates, with just 8 percent. For comparison, the entertainment sector landed in the top spot with a 16 percent average failure rate. However, healthcare did have a 13 percent click rate for those malicious links.
But the researchers explained that it’s not all bad news: 95 percent of the infosec professionals said they trained end users on how to avoid and detect phishing attempts. And most use email or spam filters, URL rewriting, and threat monitoring platforms, among other security tools.
“They are also shifting to a more people-centric model by proactively identifying phishing susceptibility, measuring end-user risk, and delivering regular security awareness training,” the researchers wrote.