Have you heard the story of the Trojan horse or the saying about a wolf in sheep’s clothing? Cybercriminals employ similar tactics to these metaphors, known as phishing. GetApp discovers how phishing attacks may affect organisations and what senior managers do to combat these cyberthreats.
In this article
- Phishing attacks mostly target company emails
- Company impersonations are the most common type of phishing attacks
- According to 98% of senior managers, phishing attacks are a concern
- How are companies utilising phishing awareness training?
- 74% of companies have anti-phishing software, according to senior managers
- Organisations must layer up cybersecurity defences
Phishing is a technique that cybercriminals use to target communication channels by impersonating senders known to the recipient. Under their disguise, this method usually relies on human error or complacency to steal data or information such as passwords. If successful, they can severely impact an organisation by causing financial loss, loss of company data, or a company data leak. They can also harm affected organisations' reputations by dispelling customer trust.
The Australian Securities and Investments Commission (ASIC) has cautioned senior leadership, such as board directors and executives, to be more prepared for cyberattacks. The crackdown by the ASIC may see legal action taken against compromised companies that did not take sufficient steps to protect their information systems from hackers. The warning comes exactly one year after Optus and Medibank fell victim to Australia’s most significant cyberattacks. How are senior managers responding to this cyber warfare and where are they focusing their security efforts to guard against phishing attacks?
According to the latest Notifiable Data Breaches Report by the Office of the Australian Information Commissioner (OAIC), phishing accounted for 19% of cyber incidents that resulted in a data breach. Furthermore, the OAIC warned Australian companies to have robust and proactive procedures to handle data breaches and protect consumer information.
In light of Australia’s cyber battle, GetApp surveyed 561 respondents, which included 346 employees and 215 senior managers, executive managers, and business owners. This article discovers how senior managers and employees experience phishing attempts at work, the concerns of senior managers and what measures they take to protect company data.
All respondents understood the definition of a phishing attack provided in the survey and had received at least one phishing attempt at work. The full methodology is at the end of this article.
Phishing attacks mostly target company emails
Phishing attacks are sent via communication channels such as email, text messages, and phone calls to deliver a scam or fake message that is intended to trick the recipient. These messages are often riddled with malware disguised as a legitimate program. Recipients are lured into clicking on compromised links, facilitating a malware download, or providing sensitive information such as passwords, which can result in a data breach.
Although companies should remain vigilant on all communication channels, 90% of respondents say that email was the means that they received a phishing attack at work compared to SMS (28%), phone calls (20%), and social media (9%). Email may be the most common form of phishing, as hackers can obtain information such as email addresses through data breaches or a data broker that sells information.
Tips for email security
Email security is crucial in today’s digital world, as emails are often used as a delivery method for malicious software and phishing attempts. Here are some tips SMEs can use to enhance email security:
- Use strong email passwords: A password manager can help ensure that passwords are complex and unique. They are safely kept in a vault protected by only one master password which enables complex passwords to be autofilled.
- Be cautious with email attachments: Never open attachments from an unknown sender. Email security software provides built-in data encryption capabilities and attachment protection.
- Only connect to trusted WI-FI networks: Users should only connect to networks that meet the necessary security requirements such as Wi-Fi-protected access (WPA).
Furthermore, the frequency of phishing attacks seems to be increasing. 57% of respondents have been targeted multiple times at work and a third (33%) perceived a 10% to 20% increase over the last three years.
Company impersonations are the most common type of phishing attacks
Of the phishing attacks that respondents have received at work, a distressing factor for organisations is the many ways perpetrators can disguise these phishing attempts to try and deceive recipients. Nearly half (49%) of respondents said the phishing attacks had impersonated a company, and 40% said they had impersonated a bank.
Phishing attacks that impersonate a company may have a higher chance of success if a recipient's company may, for example, outsource services to external companies. In this way, employees may find distinguishing between an official email and a phishing attempt difficult.
Tips to detect a phishing email
According to the Australian Cyber Security Centre’s (ACSC) email scenario quiz, the following tips can be used to identify phishing emails:
- Always check the sender’s details to see if they match the official organisation they are trying to impersonate.
- Subject lines are often used as a means for click-bait.
- Phishing emails are rarely personalised as they often use generic emails that are sent out to thousands of people.
- Enforced requests to click on a link, open an attachment, or provide personal information are good indicators of a malicious email. They may also try several attempts in one email to enforce requests.
- Cybercriminals often try to make an email look genuine by including letterheads and terms.
It’s important that companies share these identification tips with their employees so that employees are well aware of the signs of a phishing email. Companies can also leverage internal communication tools to inform employees about a phishing email or allow them to raise concerns about a suspicious email.
An overwhelming 89% of senior managers said that phishing attacks are becoming harder to detect due to their sophistication. The ACSC highlights the danger of more sophisticated cybersecurity threats that make it easier for online criminals to replicate cyber crimes on a grander scale.
According to 98% of senior managers, phishing attacks are a concern
A vast majority (98%) of senior managers say phishing attacks are a cause for concern in their company, of which 23% say it's a serious concern. In particular, 9 out of 10 senior managers believe that phishing attacks are becoming more of a serious threat to businesses with more companies operating under remote or hybrid models.
Remote and hybrid models have transitioned from a necessity to a preference among many Australian employees since these models were introduced during the pandemic. A recent GetApp study on remote work found that 65% of respondents would only apply for a non-remote job if it is hybrid. Additionally, the same study found that 85% of remote and hybrid employees have received a phishing attack attempt at least once and only 30% of remote and hybrid employees use password management software. This data may suggest that remote and hybrid work environments should consider more vigilant security measures to protect their data
Tips to secure remote work environments
Among a rising demand and preference towards remote working, coupled with an ever-present security threat, organisations can implement the following strategies to keep data breaches at bay:
- Establish well-rounded remote work policies that define best practices. Policy management software provides the tools needed to author, revise, and approve policy changes when needed.
- Implement strong access management and controls with multi-factor authentication (MFA) and a virtual private network (VPN).
- Educate remote employees continuously about cybersecurity to avoid potential cyber threats.
Whether remote or in-office, the most important defence against phishing attacks is being able to identify and report them when they are received. Three-quarters (75%) of senior managers identified a phishing attack when they received it at work and reported it to the responsible team compared to only 61% of employees. The lower number of reported cases among employees may also be a concern for management and emphasises the importance of training and making employees aware of the implications of a security breach.
Moreover, nearly half of all respondents, 51% said they either ignored or deleted a phishing attempt after realising it was fraudulent. Reporting phishing attacks helps security systems identify potential threats and patterns; thus, ignoring them could prevent security systems from working to the best of their ability. Senior managers cited the following as being responsible for data security in their company:
- A special team in charge of data security (50%)
- The IT team (24%)
- One person in charge of data security (19%)
It’s important employees are aware of who to report incidents to, so that they can be clearly and regularly communicated. However, employees who are not sure who is responsible for data security should report security incidents such as phishing attacks directly to their manager.
How are companies utilising phishing awareness training?
The Australian Minister of Home Affairs and Cyber Security, Clare O’Neil, during her speech at the AFR Cyber Summit, emphasised the importance of cybersecurity training within companies. She stated, ‘The private sector needs to improve their governance, including audits and risk assessments and in the development of their own policies, training, practices, and their own cybersecurity education and cultures’.
81% of senior management say their company has implemented phishing awareness training for their employees. Of those respondents, 88% agreed that the training helped prevent phishing attacks and reported a decline in successful phishing attacks.
The most common form of phishing awareness training for those who said their company had implemented it was through talks that explained what phishing attacks are and how to avoid them (60%), followed by explanation videos (58%). Only 39% use a formalised program for training for continuous learning.
Employee training software solutions for SMEs
Learning management systems (LMS) enable companies to update their training material to keep up to date with evolving threats as phishing attacks become more sophisticated and harder to detect. LMS platforms are a formalised training solution that help to deliver and track eLearning courses and testing.
Additionally, 52% of those with phishing training in place in their company believe there will be a decrease in spending or it will stay the same. This data may suggest that companies don’t have continuous learning programs in place or believe that the expenditure of anti-phishing software may be favourable. Less than half (47%) anticipate that their company will increase spending on phishing awareness training in the next two years.
74% of companies have anti-phishing software, according to senior managers
Nearly three-quarters (74%) of senior managers said their company has anti-phishing software in place. Of those respondents who said their company has anti-phishing software, an overwhelming 97% said the software is successful in that it regularly prevents phishing attacks (72%) or prevents them from time to time (25%).
Reduce unwanted or malicious emails with anti-spam software
Anti-phishing software may encompass a combination of many tools to help safeguard company data and employee inboxes. One such example is anti-spam software. Anti-spam software acts as a preventative measure that may reduce the margin for human error, such as clicking a link in a compromised email, by reducing the number of phishing emails in their inboxes.
Just over two-thirds (67%) of senior managers whose company uses anti-phishing software anticipate they will increase spending on it over the next two years.
From the analysis above, an increase in spending on anti-phishing software may be a result of the success of the software and also due to the woes of phishing attacks becoming more sophisticated and harder to detect.
Of the respondents who said their company doesn’t have anti-phishing software (17%) or those who are unsure if their company has it (9%), only 15% say that they are not planning to implement anti-phishing software. On the other hand, 69% of these respondents said their company plans to implement the software soon.
Organisations must layer up cybersecurity defences
Organisations need robust and proactive procedures to handle data breaches and protect consumer information. Furthermore, organisations that fail to put these procedures in place risk a security breach resulting in severe implications and will be held accountable for mismanagement, as warned by the ASIC.
Therefore, organisations must layer up defences and use resources available to them to defend themselves against a potential cyberthreat, whether that cyberthreat may be in the form of a phishing attack or otherwise. Some of the most important measures to maintain data security, according to senior management, are the following:
- Update cybersecurity software regularly (59%)
- Use antivirus tools and encryptions (56%)
- Update company software regularly (55%)
- Follow all email security guidelines (50%)
- Adhere to a password policy (45%)
The data for GetApp’s Phishing Attacks Survey was collected between July and August 2023. The survey comprises answers from 561 respondents comprising 346 employees and 215 senior managers, executive managers, and business owners. The survey sample was selected based on the following criteria:
- Australia resident
- Aged 18-65 years old
- Employed either full-time or part-time with a company with at least two employees
- Uses a computer for daily work tasks at least sometimes
- Has received at least one phishing attack at work
- Understands the meaning of a phishing attack after being shown the definition
The following definition of a phishing attack was shown to respondents: ‘Phishing is a common type of cyber attack that targets individuals through email, text messages, phone calls, and other forms of communication usually by impersonating senders known to the recipient (for example, package delivery, prizes, public entities, etc.). A phishing attack aims to trick the recipient into falling for the attacker’s desired action, such as revealing financial information, system login credentials, or other sensitive information. Phishing attacks are very often perpetrated against companies through their employees.’