Unlike previous years, 2020 has been a significant year regarding cyber-attacks with exposure of the world’s latest serious nation-state cyberattack breaches such as FireEye and SolarWinds. Phishing is a common approach used by malicious actors and it is getting more sophisticated – for example, using machine learning and AI to quickly craft and distribute convincing fake messages to recipients in the hopes they will take the phishing bait.

What is Phishing?
It is a form of social engineering attack often used to steal user data, including login credentials, credit card numbers, and other sensitive data. Phishing attacks use email or malicious websites to solicit personal information by posing as a trustworthy organization

The Phishing Problem
According to a recent report by F5 labs, phishing incidents rose 220% compared to the yearly average during the height of the pandemic. The Application Protection Report published by F5 Labs found that 52% of all breaches in the US were due to failures at the access control layer i.e. credential theft, brute force login attempts and phishing. Based on data released by UK’s Information Commissioner’s Office (ICO) and the Office of the Australian Information Commissioner (OAIC) show that phishing is a leading cause for cyber incidents.

The Verizon DBIR 2020 report, an annual publication since 2008, mentions that phishing remains the top form of social-driven breach and “schemes are increasingly sophisticated and malicious” as remote work surges. Meanwhile, the use of stolen credentials by external actors is on a rapid rise with more than 80% of breaches involve the use of lost or stolen credentials or brute force.

The Phishing Statistics
Phishing attacks have resulted in hundreds of millions of dollars in losses globally in 2020 and is expected to rise in 2021. It is critical for businesses to review the key phishing statistics and facts:

• 91% of successful data breaches start with a spear phishing attack
• 81% of mobile phishing attacks are initiated outside of email
• 7% of global phishing attacks were accounted by SaaS and Webmail services
• 2.02 million phishing sites were flagged by Google between January to November of 2020
• 29% of breaches involved use of stolen credentials
• 80% increase in phishing campaigns related to sales and shopping special offers in the first half of November 2020 compared to 2019
• 200% in increase of compromised records

Protection against Phishing Attacks
The phishing problem and the statistics should not come as a surprise. These challenges and numbers reminds us that attackers typically take the path of least resistance i.e. start with a phishing scam targeting the user and their device, and then easily crack weak passwords or steal credentials to access sensitive data.

There are various indicators and steps organizations can implement, and their users can take to avoid being a victim of a phishing attack. However, with 97% of users who cannot effectively identify a phishing scam, successful phishing prevention comes down to the following:

Secure your attack surface
Adopt ZeroTrust framework and Implement Passwordless and Tokenless MFA across your organization including access for your business partners and customers.

Provide context
With real-time visibility of authentication and authorization events including context for a transaction, users can make informed decision for an event stop an attack before it occurs.

Deploy the right solution
With BlokSec’s decentralized authentication and authorizations services, organizations can protect themselves and their users from phishing attacks leading to account takeover, theft of sensitive and personally identifiable data, and digital fraud. BlokSec’s patent-pending tri-factor user identification process ensures user integrity and authenticity with an authentication flow as simple as unlocking a mobile device.

Keep the phishers away
To control the fight against malicious actors and their increasingly sophisticated cyberattacks, organizations need to adopt a robust security approach to protect them and their users. Their security strategy and approach should focus on implementing solutions that support preventative measures to stop fraud before it occurs, and educate their users to identify phishing scams.