Phishing attacks on employees have increased in 70% of Singaporean organisations, said Sophos recently when releasing a report.
In addition, the vast majority (70%) of all IT teams globally said the number of phishing emails hitting their employees increased during 2020, according to the report, adding that this rose to 82% globally of IT teams in organisations that had been struck by ransomware during the year.
Other finding highlights
- IT professionals can’t agree on a single definition of phishing. The most common understanding of phishing, selected by 73% of Singaporean respondents, is “emails that falsely claim to be from a legitimate organisation, usually combined with a threat or request for information.”
- Two-thirds (67%) consider emails with a malicious attachment to be phishing, and more than one-third (38%) think threadjacking (when attackers insert themselves into a legitimate email thread as part of an attack) is phishing.
- Most (97%) organisations from Singapore run cybersecurity awareness programs to address phishing.
- However, in the light of the survey results, phishing awareness and education programs need to consider the wide range of perceived phishing definitions and include training for non-technical employees that explain the different facets of phishing and email attacks in general.
“Phishing has been around for over 25 years and remains an effective cyberattack technique, said Chester Wisniewski, principal research scientist at Sophos. “One of the reasons for its success is its ability to continuously evolve and diversify, tailoring attacks to topical issues or concerns, such as the pandemic, and playing on human emotions and trust.
The temptation for organisations can be to see phishing attacks as a relatively low-level threat, but that underestimates their power, he noted.
“Phishing is often the first step in a complex, multi-stage attack,” Wisniewski warned.
According to Sophos Rapid Response, attackers frequently use phishing emails to trick users into installing malware or sharing credentials that provide access to the corporate network.
The team has seen at first-hand how a seemingly innocuous email can ultimately lead to a multi-million-dollar ransomware attack, the firm said.
Cryptojacking, data—and even financial—theft are all potential outcomes after a phishing attack has opened a door for adversaries, Sophos pointed out.