Nine in 10 enterprises fell victim to successful phishing in 2022

Email security company Egress finds that 92% of organisations have fallen victim to a successful phishing attack in their Microsoft 365 environments over the past year, with a further 98% of cyber security managers expressing frustration with secure email gateway (SEG) technologies.

According to Egress’ Email security risks report 2023 – which investigated both inbound phishing attacks and outbound data loss and exfiltration – 58% of cyber security managers said traditional SEG technologies were not effective in stopping employees from accidentally emailing the wrong person or with the wrong attachment, while 53% conceded that too many phishing attacks bypass their gateway.    

Egress’ data shows that almost half (44%) of phishing emails are classed as “technical”, meaning they were specifically engineered to bypass signature-based defences, while over a quarter (28%) were sent from compromised legitimate domains. Out of all account takeover attacks, Egress notes 85% start with a phishing email.

A further 91% of cyber security managers also noted that data has been leaked by outbound emails, although this was due to mistakes or taking risks as opposed to malicious insiders.

Egress said the top three causes for these incidents is risky employee behaviour (i.e. transferring data to personal accounts for remote work), human error (emailing confidential information to incorrect recipients), and self-serving data exfiltration (such as taking data to a new job).

Overall, Egress found that 86% of organisations surveyed were negatively impacted by phishing emails, 54% suffered financial losses from customer churn following a successful phishing attack, and 40% of successful phishing incidents resulted in employees leaving the company. Nearly all cyber security managers (99%) said they were stressed about email security.

“The growing sophistication of phishing emails is a major threat to organisations and needs to be urgently addressed,” said Jack Chapman, vice-president of threat intelligence at Egress.

“The signature-based detection used by Microsoft 365 and secure email gateways can filter out many phishing emails with known malicious attachments and links, but cyber criminals want to stay one step ahead.

“They are evolving their payloads and increasingly turning to text-based attacks that utilise social engineering tactics and attacks from a known or trusted source, such as a compromised supply chain email address.”

He further warned that phishing attacks will only become more advanced as cyber criminals turn to AI-powered technologies such as chatbots to automate and refine their attacks.

Egress noted that the top three types of phishing attacks that people fell victim to were those involving malicious URL or malware attachments, social engineering, and supply chain compromises.

Aside from the SEG issues, managers also expressed concern about their security awareness and training (SA&T) programmes, as while 98% carry out some kind of SA&T, 96% aired a concern or limitation with it.

For example, 46% said employees skip through it as fast as possible, 29% said employees find the training annoying, and a further 37% admitted they are not confident people remember what they are taught.

Egress concluded in its report that, despite investments in traditional email security and SA&T, enterprises remain highly vulnerable to phishing attacks, human error and data exfiltration.

It recommends using intelligent email security solutions to augment traditional SEGs and Microsoft 365, such as integrated cloud email security (ICES) solutions that use behaviour-based security to detect anomalies in peoples actions to detect and stop advanced phishing threats.