The Real Reason For Successful Phishing Attacks

Successful phishing attacks are increasing at a rapid rate, and so too are the variety of forms they come in.

Man writing on mac laptop


Millions of users worldwide are put at risk every single day (well, every 30 seconds to be exact). Simply put - cyber criminals are evolving, and so are their techniques.

But it isn't just your traditional phishing scam that's taking its toll on a range of businesses - spear phishing and CEO fraud now offer a much more damaging scope of an attack. Without a doubt, IT decision makers are squirming at the possibility of becoming yet another story in the never-ending book of breaches. 

But what makes these phishing attacks so successful? Well according to a report by Osterman Research, there are 6 main factors to blame...

#1 Your users lack security awareness

The largest door being opened for cyber criminals is, without a doubt, the one labelled with "security awareness". More specifically, a lack of employee training focusing on issues such as phishing and ransomware is the main reason for these attacks being so successful. 

In fact, Osterman claim tha 6% of users have never received security awareness training. This is pretty damning when it comes to an employee's confidence and ability to recognise phishing attacks and act appropriately. Users should be trained to be cautious of any unexpected emails and any of the scams that they could face on various platforms.

Read next: The 5 types of employees phishing emails loves to target  

#2 Criminals are (unsurprisingly) following the money

The use and notoriety of the Dark Web have lowered the commercial value of stolen data. The price of a payment card record dropped from $25 in 2011 to $6 in 2016, meaning that cyber criminals have had to adapt their focus to new ways of earning the kind of money they did in the past.

Consequently, the fruitful nature of information-holders is the area they're now turning to. Attacks such as ransomware, where information-holders are afraid of losing their data, means that victims wouldn’t think twice before paying the demands of the criminal.

Man taking dollar bills from a wallet  

#3 You're not performing sufficient due diligence

Companies are simply not doing enough to reduce the risks associated with phishing and malicious software. There's a lack of adequate backup processes in place, as well as an inability to identify the weakest users that need further training.

Also, strong internal control processes are often missing, such as a double confirmation for any bank transfer request (which can be key to preventing CEO fraud). Neglecting these processes is playing directly into the hands of some of the most common fraudulent techniques.

Did you know...

The average cost of a phishing attack for medium sized companies is $1.6 million

#4 Criminal organisations are sitting on a mountain of funds

Many cyber criminals have access to large funds, widening their ability to hone their technical skills and allow for more sophisticated phishing attacks.

In fact, it's claimed that some cyber criminals can make up to $7,500 per month through their damaging schemes and that the industry is now more profitable than the drug trade. 

#5 Low-cost phishing and ransomware tools are easy to get hold of

The availability of phishing kits and the rise of ransomware-as-a-service (RaaS) has given wannabe hackers an easy opportunity to enter the market and compete with sophisticated criminal organisations.

The most worrying part of this growing trend is that even people with little or no IT experience are reaping the rewards of these easy to get hold of tools. With that sort of earning potential, it's not hard to see why criminals are drawn into the lucrative business. 

#6 Malware is becoming more sophisticated

The old (but still very effective) technique of luring users into clicking malicious links will soon be overshadowed by much more cunning and hard to avoid tactics.

There's certainly no major rush to branch out from the current malware techniques, although many have predicted that this year will see the development of new threats, such as “ransomworms” (self-replicating ransomware).

Read next: Your Complete Guide to Phishing

Now is the time to fight phishing and ransomware attacks with a cohesive approach 

The key to preventing these attacks, increase employee phishing awareness or mitigating their magnitude, is found in the development of a cohesive strategy that encompasses people, processes and technology:

  • Raise awareness of these threats among staff through employee awareness programmes or dedicated e-learning courses;
  • Develop processes that help staff take the best course of action in case of attack;
  • Implement technology that can prevent these attacks from striking in the first place.