Why is Phishing Still Such a Major Threat Today?

And a Review of Best Practices

By Hugues Seureau, Henry Dome.

Executive Summary
Phishing attacks have emerged as a pervasive and formidable menace, posing substantial threats to individuals and organizations. The global economic cost of cyber attacks, most of which are initiated by phishing, is indeed estimated in trillions of dollars globally. If "Cybercrime is the #1 problem in mankind", as Warren Buffet says, that means that phishing is the #1 problem.

Phishing is the main source of cyber attacks, but a brief review of security practices and cybersecurity vendors’ claims seems to indicate that it is not the main focus. See our video below for more about why (1) . Despite the existence of a plethora of cybersecurity solution vendors, the anti-phishing solutions they offer have proven relatively inadequate in combating the root cause of these attacks. Because that root cause is a tough problem to tackle, usually external to company CISO scopes. Tools and processes address phishing campaigns and how fast to detect and react to them, but they do not prevent them. Nor do they prevent what the authors call “ricochet phishing”.

According to the Cyber Research Databank (CyberDB), the United States alone houses over 3,500 cybersecurity companies. The cybersecurity industry has enabled companies to build very efficient fortresses around their systems, yet there is still an opportunity to collectively address the evolving nature of phishing threats that are outside of the fortresses, thus leaving users less vulnerable.

This article delves into the current landscape of anti-phishing and cybersecurity, examining the limitations of prevailing approaches and education, and highlighting the urgency for adopting proactive measures to safeguard against the ever-evolving tactics employed by cybercriminals. By shedding light on the challenges faced by existing security solutions, this study advocates for a more innovative and holistic approach that targets the root cause of phishing attacks to fortify defenses and mitigate the pervasive risks of phishing attacks.



Main Trends Driving Phishing
In today's interconnected world, where technology permeates every aspect of our lives, the importance of robust cybersecurity measures cannot be overstated.

Among the multitude of cyber threats that individuals, businesses, and organizations face, phishing attacks stand out. According to a CISA estimate, a vast majority (90%) of cyberattacks originate in phishing, and in another CISA infographic, about 70% of Phishing malware and links are not blocked by Network protection.

Phishing attacks employ deceptive social engineering tactics to trick unsuspecting users into divulging sensitive information (PII, health, payment,…), leading to identity theft, financial loss, and reputational damage. As technology advances with the general availability of AI and in particular LLMs (Large Lamguage Models) and cybercriminals become increasingly sophisticated, the fight against phishing has reached a critical juncture. Phishing is growing at critical rates year over year and the availability of ChatGPT replicas like WormGPT is a major concern in cybersecurity spheres.

The landscape of anti-phishing and cybersecurity is continually evolving, as both attackers and defenders adapt their strategies to outwit one another. Traditional anti-phishing solutions have focused on detecting and blocking known phishing emails or malicious websites, but they often fall short in addressing the root cause of these attacks. Just like Steve Bickel, a Senior Account Executive at Impact Networking argues, “If 90% of people receive at least 1 phishing email per day, and 90% of people can't identify a phishing email, then they've already won.” To the point of identifying phishing, there’s been lots of progress in terms of educating final web users over the past decade and specifically after the COVID-19 pandemic. However, there are tangible no call to actions after the education courses: users are left with their attention span. Today, all web users have to be 100% attentive, 100% of the time to prevent phishing.

We all know that’s not possible, especially at a time when social engineering and spear phishing gets better with AI Large Language Models (LLM) support. Spear-phishing is the act of phishing someone in particular with a personalized approach, as opposed to phishing campaigns that have a broader reach. As a result, new and innovative approaches are necessary to counteract the ever-changing threat landscape.

In this article, we explore the current state of anti-phishing and cybersecurity, shedding light on the challenges faced by individuals and organizations. By examining the pressing need for proactive measures, the limitations of traditional solutions, and the unique features that can be introduced to offer better solutions. In doing so, we can pave the way for a safer digital future, where individuals and organizations can navigate the online landscape with confidence and peace of mind.



The Ever Growing Threat of Phishing
In recent years, as people work increasingly remotely, phishing attacks have experienced a significant surge, making them a pervasive and ever-increasing threat to individuals and organizations alike.

As noted by Luke Simonetti the Vice President, Cyber Strategy Solutions Group Lead, “The Federal Bureau of Investigation (FBI) Internet Crime Complaint Center (IC3) found that #phishing was the most frequently reported #cybercrime of 2021.” He also points out that “In a recent survey from HEALTH-ISAC and Booz Allen Hamilton healthcare cybersecurity executives identified phishing and spear phishing as a top concern”, highlighting the fact that phishing is a serious threat to various industries, sectors and individuals at large. These attacks rely on deceptive techniques to manipulate unsuspecting users into divulging sensitive information or performing actions that benefit the attackers.

The success of phishing attacks can be attributed to the sophisticated use of social engineering tactics by cybercriminals. They exploit human vulnerabilities, preying on factors like trust, urgency, curiosity, and fear to manipulate their victims. Phishing emails may appear remarkably legitimate, containing official logos, professional language, and seemingly valid email addresses. Similarly, phishing websites often mirror the design and layout of genuine sites, making it challenging for users to distinguish between the real and the fake. With the advent of crawlers and AI, it is today faster than ever to copy the content of a website and to build a copycat in.

What sets phishing attacks apart from other cyber threats is their ability to deceive users into taking actions that compromise their security. This can involve clicking on malicious links, downloading malware-infected files, entering sensitive login credentials, or providing financial information. By doing so, victims unknowingly grant cybercriminals access to their personal and financial data, which can be exploited for various malicious purposes, including identity theft, financial fraud, and unauthorized account access.

The effectiveness of phishing attacks is further amplified by the widespread use of digital communication channels and the growing reliance on online services. With the increasing prevalence of email, messaging apps, and social media platforms, cybercriminals have an extensive pool of potential targets to exploit. Furthermore, the integration of smartphones and other mobile devices into our daily lives has expanded the attack surface, as users can now fall victim to phishing attempts regardless of their location or time of day.

Cybercriminals are continually refining their techniques, making phishing attempts increasingly convincing and difficult to detect. They employ psychological manipulation, such as urgency or fear-inducing language, to prompt immediate actions from their targets. Join Certilane’s Trust Alliance group of tech and business leaders on Linkedin to get curated examples of these scams - of which some of the most iconic ones were initiated during the pandemic. Moreover, phishers leverage personalization tactics, tailoring their phishing messages to suit individual recipients, increasing the likelihood of success.

To make matters worse, the scope of anti-phishing protection is reduced, while the area of exposure to phishing is immense.

Cybersecurity vendors and email providers like Microsoft Outlook, Google Mail and Apple generally only covers emails. They are not trying to prevent hackers from copying websites or malicious attachments, but rather to detect the malicious campaigns and attachments once they have been sent. As a result, there is no way today to reduce the amount of malicious campaigns before they are created. The scope is restricted to reactive tools.

To add to this there’s a perimeter scope for CISO’s right to play. The scope of companies’ Chief Information Security Officers (CISO) is restricted to securing their own organization, usually in a reactive way - building a fortress, then detecting and reacting as soon as possible to attacks. In no way are CISOs trying to protect web users outside of their IT system fortress.

The issue with phishing is that it goes beyond the scope of tools and CISOs. Anti-phishing needs to be holistic, systemic. Why? Hackers are copying a brand’s website outside of a brand’s area of control - outside of its IT systems. And they are targeting people outside of the brand’s systems, through their emails or clicks on a website that may have nothing related to the brand. For instance, a brand’s employee can get phished and his password system known to hackers when the employee enters information on a fake school or e-commerce website. Once the information about the employee is known, hackers can leverage it to penetrate the systems of their initial brand target. This is what I’ll call ricochet phishing.

For a “systemic ricochet” phishing risk, there’s no other answer than a systemic answer. Wait no more than a few paragraphs to have a better idea of what we have in mind.

As phishing attacks such as email phishing, spear phishing, whaling, smishing and vishing, and angler phishing continue to evolve in complexity and sophistication, it is imperative for both individuals and organizations to remain vigilant and take proactive measures to protect themselves. Recognizing the growing threat of phishing and understanding its modus operandi is the first step towards building a robust defense against these pervasive cyber-attacks.



Phishing Attacks Impact Trillions of Dollars of Economic Worth
Phishing attacks can have far-reaching and detrimental consequences for the economy, individuals, and organizations. Falling victim to a phishing attack can result in various damaging outcomes, including identity theft, financial loss, and reputational damage.

The global economic cost of cyber attacks, of which up to 90% are initiated by phishing in 2022 according to CISA, is estimated at over $8 trillions in 2023 by Cybercrime Magazine (Media outlet of Cybersecurity Ventures, Dec 2022 report update). “Cybersecurity Ventures expects global cybercrime costs to grow by 15 percent per year over the next three years, reaching $10.5 trillion USD annually by 2025”. This includes not only the immediate cost of cyberattacks but the whole economic value lost due to the attacks. According to the article, the methodology includes in cybercrime costs: “damage and destruction of data, stolen money, lost productivity, theft of intellectual property, theft of personal and financial data, embezzlement, fraud, post-attack disruption to the normal course of business, forensic investigation, restoration and deletion of hacked data and systems, and reputational harm.”

For individuals, the consequences of a successful phishing attack can be devastating. Cybercriminals who gain access to Personal Identifiable Information (PII) through phishing can engage in identity theft, using stolen data to open fraudulent accounts, apply for credit, or conduct unauthorized financial transactions. Victims may find themselves facing financial ruin as their bank accounts are drained, credit scores are tarnished, and they are left to navigate the arduous process of reclaiming their stolen identity.

Furthermore, phishing attacks can compromise personal privacy, leading to the leakage of sensitive information, such as medical records or personal correspondence. Each compromised record cost healthcare organizations an average of $146, according to a 2020 study included in Ponemon Institute's annual "Cost of Data Breach" report. Where Personal Health Information (PHI) was involved, that amount rises to $150 per breached record.

Businesses and organizations are also prime targets for phishing attacks, with potentially grave consequences.

Phishing attacks aimed at businesses often take the form of spear-phishing, targeting specific individuals within the organization, such as executives or employees with access to sensitive data. Successful attacks can result in data breaches, compromising confidential information, trade secrets, or customer data. The financial impact of such breaches can be substantial, including direct financial losses from fraud or legal costs associated with regulatory fines, lawsuits, and damage control.

According to IBM’s new 2023 Cost of Data Breach report, the average cost of cyber attacks for US firms is $9.5 Million per attack. Howeber, that figure excludes Mega Breaches from the data taken into account. There were 20 Mega Breaches assessed by IBM in the report in 2022, and their average cost was $336 Million. That means that just 20 attacks cost over $6 billion of damage, and most of them were initiated with some sort of phishing.

Additionally, according to an article published by Cybersafe, the 2020 Cyber Security Breaches Survey identified phishing attacks as the most disruptive form of cyberattack for UK organizations.

Reputational damage is a significant consequence of phishing attacks for both individuals and organizations. If personal information or sensitive data is exposed as a result of a successful phishing attack, individuals may suffer a loss of trust and credibility among friends, family, or professional contacts. Organizations that fall victim to phishing attacks always face a tarnished reputation, eroding customer trust, and loyalty. For instance back in 2016 TalkTalk lost almost 60m euros after they experienced a phishing attack in 2015. Meaning they lost a massive number of customers and in return profits as well. Such damage can have long-term repercussions on customer acquisition, retention, and overall business viability.

IBM’s report includes reputational damage as part of “lost business” in their report but does not clearly indicate the share of cost that it represents. However, according to Quadbridge, “Around 40% of the costs incurred by a data breach come from the negative effects on reputations” and can last a very long time. With cyber risk, customers pay attention, literally. In a webinar presentation produced by Thales Security US and Digicert, we could read that “47% of consumers are switching brands after a loss of trust.” Beware not to lose that trust, at a time when a brand is required to quickly inform the public about a breach.

The evolving nature of phishing techniques and the increasing frequency of attacks underscore the urgency for proactive measures to mitigate the risks posed by phishing. Traditional reactive approaches, such as relying on spam filters and blacklists, are often insufficient in countering the ever-changing tactics employed by cybercriminals. It is crucial for individuals and organizations to adopt comprehensive anti-phishing strategies that encompass education, awareness, and robust technological solutions.

By staying informed about the latest phishing trends, practicing skepticism when encountering suspicious emails or messages, and implementing advanced security measures, individuals can minimize the risk of falling victim to phishing attacks. Similarly, organizations must prioritize employee training on identifying and reporting phishing attempts, implement multi-factor authentication, regularly update security protocols, and invest in advanced anti-phishing solutions.

However, education will not solve everything. As long as there are no tools to support people, and clear call to actions for simple things to do at the end of these educative programs, phishing will remain a growing threat. To reduce the impact of phishing, the world needs to teach Internet users a practical solution. It’s impossible to ask people to be 100% attentive, 100% of the time.



The Limitations of Traditional Anti-Phishing Solutions
Traditional anti-phishing solutions have played a crucial role in mitigating the risks associated with phishing attacks. However, they come with inherent limitations that can hinder their effectiveness in today's rapidly evolving threat landscape. These limitations primarily revolve around their reactive nature, reliance on signature-based detection methods, and their focus on addressing symptoms rather than tackling the root cause of phishing attacks.

One of the significant limitations of traditional anti-phishing solutions is their reactive approach. These solutions often rely on detecting and blocking known phishing emails or malicious websites based on previously identified patterns or signatures. While this can be effective against known threats, it falls short when faced with new or sophisticated phishing techniques. Cybercriminals are constantly innovating and devising novel ways to deceive users, rendering signature-based detection methods less effective against previously unseen attacks.

Another limitation stems from the reliance on denylisting (what was traditionally called “blacklisting”). Traditional anti-phishing solutions often maintain databases of known phishing websites or email addresses, which are blacklisted to prevent users from accessing or interacting with them. However, this approach is limited to known threats and does not account for the constantly evolving nature of phishing attacks. Cybercriminals can easily create new phishing websites or use different email addresses, bypassing the blacklists and exposing users to previously unknown risks.

Moreover, traditional anti-phishing solutions primarily address the symptoms of phishing attacks rather than tackling the root cause. They focus on detecting and blocking phishing emails or websites after they have already reached the user's inbox or browser. While this can provide some level of protection, it does not address the underlying vulnerabilities in email protocols and infrastructure that cybercriminals exploit. By solely addressing the symptoms, these solutions do not provide a proactive defense against emerging and future phishing techniques.

The limitations of traditional anti-phishing solutions highlight the need for innovative approaches.

As a result of the episodic but high-impact failures of current solutions, there is a very high growth in cybersecururity insurance policies. We will write another article about this. But it doesn’t prevent phishing from happening - on the contrary, it incentivizes it.


So what can be done against phishing?

Fortunately, there are emerging solutions that aim to overcome these limitations. One such solution is Certilane, a unique, patented app that revolutionizes anti-phishing by fixing the root cause of phishing attacks. Certilane takes a proactive approach by providing a secure layer on top of existing email protocols, verifying the authenticity of email senders and ensuring the integrity of email contents. By addressing the vulnerability of people not being able to recognize with certitude an url. Certilane significantly reduces the risk of phishing attacks reaching users' inboxes, offering a comprehensive solution.

We’ll review how Certilane was born and what holistic solution it enables in our next article.



More about the authors.

Hugues "Hugo" Seureau.
CEO @ Certilane.
Hugues.seureau@certilane.com
Hugo helps companies develop their product and revenue. He operationalizes their marketing and GTM strategies. He leads Penon’s marketing strategy and operations. Talented and accomplished specialist in Corporate Innovation, Product Market Fit Research, Product Roadmap Alignment for industries like Manufacturing and Software. He delivers results for Large companies, SMBs, VCs, Startups, and Founders, in industries such as SaaS, PaaS, IaaS, on-premise Software, Engineering, A&D, Electronics, Automotive, Industrial Products, Energy, Pharma/Life sciences, Fintech, Biotech, Cosmetics, CPG, Retail and others. As an entrepreneur in Product Marketing and Innovation Services, he cumulated 5 years leading New Product Introductions (NPI) at tech startups, multiplying prototypes x10 and accelerating their Time to Market +20%. He also has got a Chief Marketing Officer hat, scaling startup outreach processes and increasing x2-10 their visibility.

Henry Dome.
Technical Content Lead @ Certilane.
Henry is Certilane's content writer lead. He cumulates 6 years of research and edition, storytelling in specific industry fileds like SaaS and Cybersecurity.



References

(1) https://www.linkedin.com/feed/update/urn:li:activity:7080605737940316160

Alkhalil, Z., Hewage, C., Nawaf, L., & Khan, I. (2021). Phishing attacks: A recent comprehensive study and a new anatomy. Frontiers in Computer Science, 3, 563060.
Gupta, B. B., Arachchilage, N. A., & Psannis, K. E. (2018). Defending against phishing attacks: taxonomy of methods, current issues and future directions. Telecommunication Systems, 67, 247-267.
Oest, A., Safei, Y., Doupé, A., Ahn, G. J., Wardman, B., & Warner, G. (2018, May). Inside a phisher's mind: Understanding the anti-phishing ecosystem through phishing kit analysis. In 2018 APWG Symposium on Electronic Crime Research (eCrime) (pp. 1-12). IEEE.
Qabajeh, I., Thabtah, F., & Chiclana, F. (2018). A recent review of conventional vs. automated cybersecurity anti-phishing techniques. Computer Science Review, 29, 44-55.
Sharma, P., Dash, B., & Ansari, M. F. (2022). Anti-phishing techniques–a review of Cyber Defense Mechanisms. International Journal of Advanced Research in Computer and Communication Engineering ISO, 3297, 2007.
Salloum, S., Gaber, T., Vadera, S., & Shaalan, K. (2021). Phishing email detection using natural language processing techniques: a literature survey. Procedia Computer Science, 189, 19-28.
Vayansky, I., & Kumar, S. (2018). Phishing–challenges and solutions. Computer Fraud & Security, 2018(1), 15-20.



Picture:
Cybersecurity today: multiple fortress layers protect the system, but a large amount of value is by default outside the fortress: people that are not part of the organization, like customers, members, partners, prospects, press, and simple visitors.