Why do people get hacked?

Everyone is targeted by cybercriminals.

While organizations have rapidly matured their technical controls, such as firewalls, people remain an easily exploited target for hackers.

Every employee has access to email, which is why 86% of organizations have had a data breach caused by phishing and over 90% of ransomware attacks start on email.

Why are phishing attacks so successful?

Short answer: because they’re engineered to be.

Firstly, sophisticated attacks are engineered to bypass secure email gateways (SEGs) and land in employees’ mailboxes. SEGs can only filter out ‘known’ attacks or those that display certain identifiers, such as an a-typical subject line or being sent from a new domain – so inevitably, cybercriminals have innovated.

New attacks emerge daily, designed specifically to bypass SEGs. Even something as simple as leaving a subject line blank can result in a phishing email being delivered to an employee. Attacks that originate from compromised supply chain accounts also cause headaches for SEGs (as well as some newer technologies, such as those that rely heavily on social graphing), because they originate from a previously trusted domain.

Secondly, phishing attacks are designed to exploit people’s fallibility.

They’re designed to move someone from critical thinking into impulsive response. Every successful phishing attack will contain some or all of these core components:

  • Attention-grabbing language
  • A sense of urgency
  • A credibility statement to make them more believable
  • An attempt to connect with the recipient, for example through flattery
  • A direct request to the recipient
  • Clear consequences if the recipient fails to perform the task

Dedicated cybercriminals then combine these techniques with information they know about the recipient from profiling them online or that they’ve obtained through a previous data leak. In the case of an attack originating from a compromised account, the cybercriminal can also use insights about the sender they’re impersonating.

“Every employee has access to email, which is why 86% of organizations have had a data breach caused by phishing and over 90% of ransomware attacks start on email.“

What impacts do phishing attacks have?

Phishing attacks hurt the bottom line and damage business reputations.

The average incident costs US organizations $7.9m. This includes payments made to cybercriminals – including fraudulent transfers (at an average cost of $85,000), incident response costs, and customer churn.

However, the cost isn’t entirely laid at the organization’s feet. In our latest research, we asked IT leaders to list the most common outcomes for the individual involved.

  • 28% said the employee was informally warned
  • 23% stated the individual was dismissed or left voluntarily
  • 19% selected formal disciplinary procedure
  • And in 10% they were sued

Only 20% of phishing attacks didn’t result in a consequence for the employee involved.

What can we do about phishing attacks?

People get hacked because phishing attacks are designed to exploit their vulnerabilities.

So it doesn’t make sense to continue to rely on employees to detect these attacks. It makes them, and your organization, vulnerable.

Instead, human layer security can turn your people into your biggest defense.

This requires implementing intelligent technology that takes a zero-trust approach inbound email security, analyzing the context and content of every inbound email before it is delivered to an employee’s inbox. Machine learning and natural language processing (NLP) must also be used to determine every sender’s authenticity, detecting when cybercriminals are using compromised supply chain accounts or are launching a ‘payload-less’ attack.

Even CISOs fall victim to phishing attacks. It’s time to ensure all employees are protected from cybercriminals.

Find out how Egress Defend detects and mitigates all targeted phishing attacks.