A new survey conducted by them reveals that phishing attacks targeting organisations ramped up considerably during the pandemic, as millions of employees working from home became a prime target for cybercriminals. The majority (83%) of IT teams in India said the number of phishing emails targeting their employees increased during 2020.
“It can be tempting for organisations to see phishing attacks as a relatively low-level threat, but that underestimates their power. Phishing is often the first step in a complex, multi-stage attack,” adds Wisniewski.
Reasons for the Rise
Rapid increase in working from home: It’s likely that attackers hoped people would lower their guard while adjusting to working from home and operating in a non-business environment. Growth in home deliveries has also given rise to the problem as phishing messages purporting to be from a home delivery company became commonplace during the first months of the pandemic as people turned to online shopping in large numbers.
Adversaries also exploited people’s anxiety and need for information on COVID-19 with pandemic-themed scams. They anticipated that the high level of concern would make people less likely to check that a message was legitimate before clicking.
The findings also reveal that there is a lack of common understanding about the definition of phishing. For instance, 67 per cent of IT teams in India associate phishing with emails that falsely claim to be from a legitimate organisation, and which are usually combined with a threat or request for information.
61 per cent consider Business Email Compromise (BEC) attacks to be phishing, and half of the respondents (50%) think thread jacking – when attackers insert themselves into a legitimate email thread as part of an attack – is phishing.
The good news is that most organisations in India (98%) have implemented cybersecurity awareness programs to combat phishing. Respondents said they use computer-based training programs (67%), human-led training programs (60%), and phishing simulations (51%).
“The ideal would be to prevent phishing emails from ever reaching their intended recipient,” said Wisniewski. “Effective email security solutions can go a long way towards achieving this, but this should be complemented by alert and primed employees who are able to spot and report suspicious messages before they get any further.”
Other Findings
The survey also showed that four-fifth of Indian organisations assess the impact of their awareness program through the number of phishing-related tickets raised with IT, followed by the level of reporting of phishing emails by users (77%) and click rates on phishing emails (60%).
All the organisations surveyed (100%) in Delhi, Hyderabad, and Kolkata say they have a cybersecurity awareness program in place. This was followed by Chennai where 97% have such programs , and then Bengaluru and Mumbai at 96% each.