Everyone knows about phishing – so why is it still an unsolved problem?

by Egress
Published on 5th Jul 2022

Findings from our recent report, Fighting phishing: the IT leader's view, reveal that 98% of the companies surveyed conducted some form of cybersecurity training over the past 12 months. Yet, despite these efforts, employees keep falling for phishing attacks. Our research shows that 84% of the organizations we surveyed last year were phishing victims – a 15% increase from our 2021 report, The real and rising risk of phishing.

In a separate report, Cybersecurity experts' views on email within Microsoft 365, we spoke to three cybersecurity experts about why phishing is still such an unsolved problem. Here, we highlight key quotes from the report, which features Lisa Forte (Co-founder, Red Goat Cyber Security LLP), Robin Bell (CISO, Egress Software Technologies), and Jack Chapman (VP of Threat Intelligence, Egress Software Technologies). 

Mobile devices can make phishing attempts harder to spot

Our report shows that 77% of IT leaders in Microsoft 365 organizations believe mobile devices increase the risk of email data loss. There are several reasons behind this. For many of us, the increase in remote working has significantly blurred the lines between our personal and professional lives, meaning that it has become more common for us to carry out work-related activities on our personal smartphones. That presents a number of additional risks. 

For instance, when someone opens a phishing link on a PC, they can hover over it and see where it redirects. That isn't easy to do on a mobile phone, making phishing more challenging. 

Robin Bell explains, "People receive a high volume of emails, and among all of it, there will be genuine emails from direct correspondents, genuine emails from marketing campaigns, and then phishing emails. Sometimes in haste or when faced with an advanced and highly convincing attack, it's easy to make a mistake and click on that one email that causes a breach/compromise."

Bell continues, "People also access email on different devices, such as phones, tablets, and laptops – and it can often be harder to spot a phishing email on a mobile device. Finally, phishing is a lucrative business, and therefore organized criminal gangs have the desire, capability, and funds to invest in new techniques and a high volume of targets."

Organizations have been approaching the problem the wrong way

More organizations than ever are providing phishing training to employees – and yet, the number of businesses falling victim to phishing attacks continues to rise each year. 

Jack Chapman explains, "There are two key reasons that phishing has not been solved. First, it works for the criminals, leading to great return on investments for minimal upfront costs and a low risk of being caught. This leads to more resources and innovation being pumped into this vector, so it continues to work.

Chapman continues, "The second key reason is how we as an industry have been trying to solve it. Either we block everything and have huge quarantines that no one has the time or resources to manage, or we just train our users and blame them when an attack which is designed to bypass humans is successful."

Training needs augmenting with the right technology

Since the pandemic's start, an increasing number of organizations have switched to remote working. Foundry's recent 2022 Future of Work study revealed that most organizations are now planning to keep hybrid or remote work as a permanent solution. While remote working has many benefits, it also comes at a cost. Our research found that organizations with more than 60% of employees working remotely had a higher average data breach cost than those without remote workers. 

When we ask Lisa Forte why she thinks phishing remains an unsolved problem, she says, "There are a number of reasons. Firstly, it evolves. We have seen a rapid rate of development in the way phishing emails are constructed, and that makes it harder for our employees to keep on top of the developments. Secondly, COVID really ignited a new fire under phishing and smishing (SMS) campaigns. Uncertainty is perfect for attackers."

Forte continues, "Finally, humans make mistakes. We always will. We can lower the chances of a mistake being made through training, but training alone won't eliminate it. We need better and 'smarter' email defenses to provide more peace of mind."

To reduce the chance of falling victim to phishing attacks, an increasing number of organizations are choosing to augment their Microsoft 365 defenses with additional 'smarter' email defenses to protect against both inbound and outbound risks. 

You can download our report here to learn more about augmenting your Microsoft 365 defenses and access the full range of insights from the experts.