Phishing attacks at record highs

The rate of phishing attacks is at record highs, as shown in the recent Anti-Phishing Working Group's (APWG) Phishing Activity Trends Report. In Q2/2022, the APWG observed more than a million distinct phishing attacks, actually the worst quarter for phishing that APWG has ever observed.

Successful attacks featured in the media confirm this trend: Revolut, Uber, Twilio, Cisco, Microsoft, Okta, Nvidia are just some of the high profile companies recently hacked. And the technique used to gain initial access to all those companies was phishing, i.e. electronically delivered social engineering.

There is a silver lining here: phishing is so popular precisely because other techniques to obtain initial access are becoming relatively more difficult, especially exploiting vulnerabilities in public facing services and applications. As organizations move to SaaS/IaaS based applications, the window to exploit public facing unpatched systems is shrinking.

In cases where an organization still runs on-premise installed public facing apps, the risk of neglecting or inadvertently leaving unpatched systems online increases dramatically. See for example the recent attack against Albania's government institutions, where initial access was gained precisely through long time unpatched vulnerabilities.

That attackers are increasingly left with no other option than convince employees to allow access to a particular application or network - is therefore good news. And also a reminder that the best investment in security is focusing on employee awareness. Security awareness trainings (SAT) can be automated via SAT software, which can make trainings less intrusive and more scalable, so that the capacity to resist phishing attacks is continuously strengthened.