AI is taking phishing attacks to a whole new level of sophistication

92% of organizations have fallen victim to successful phishing attacks in the last 12 months, while 91% of organizations have admitted to experiencing email data loss, according to Egress.

Not surprisingly, 99% of cybersecurity leaders confess to being stressed about email security. Specifically, 98% are frustrated with their Secure Email Gateway (SEG), with 53% conceding that too many phishing attacks bypass it.

“The growing sophistication of phishing emails is a major threat to organizations and needs to be urgently addressed,” said Jack Chapman, VP of Threat Intelligence, Egress. “The signature-based detection used by Microsoft 365 and secure email gateways (SEGs) can filter out many phishing emails with known malicious attachments and links, but cybercriminals want to stay one step ahead. They are evolving their payloads and increasingly turning to text-based attacks that utilize social engineering tactics and attacks from a known or trusted source, such as a compromised supply chain email address.”

“Unfortunately, phishing attacks will only become more advanced in the future, as cybercriminals use AI-powered technologies, such as chatbots, to automate and improve their attacks, such as adding video and voice capabilities to text-based phishing,” Chapman concluded.

Inbound and outbound email security

The report investigates both inbound phishing attacks and outbound data loss and exfiltration, highlighting the importance of a holistic approach to email security.

Interestingly, 71% of surveyed cybersecurity leaders view inbound and outbound email security as a unified issue to tackle, recognizing their interconnected nature. The survey goes on to examine the technical controls and security awareness and training (SA&T) programs in place to reduce email security risk.

Sophistication of phishing emails cause major financial losses

86% of surveyed organizations reported that they were negatively impacted by sophistication of phishing emails, and 54% suffered financial losses due to customer churn following a successful phishing attack.

Additionally, 40% of incidents resulted in employees leaving the organization. Cybersecurity leaders found that 85% of successful account takeover (ATO) attacks began with a phishing email.

Risky behavior lead to costly data loss

The survey found that people making mistakes or taking risks to accomplish their tasks are more common than malicious insiders. In fact, 91% of cybersecurity leaders surveyed reported that data had been leaked externally by email.

The top three causes for these incidents include reckless or risky employee behavior, such as transferring data to personal accounts for remote work, human error, including employees emailing confidential information to incorrect recipients, and malicious or self-serving data exfiltration, such as taking data to a new job.

Furthermore, 49% of organizations surveyed experienced financial losses from customer churn following a data loss incident, and 48% of incidents resulted in employees leaving the organization.

Too many phishing emails bypassing employee inboxes

58% of cybersecurity leaders believed their SEG was not effective in preventing employees from accidentally emailing the wrong person or with the wrong attachment.

Additionally, 53% of respondents reported too many phishing emails still made it to employees’ inboxes, while 50% of organizations found it takes a lot of administrative time to manage their SEG.

Security awareness and training

Although 98% of the surveyed organizations conducted some form of Security Awareness and Training (SA&T), 96% of them expressed concerns or limitations with their SA&T programs.

59% of organizations reported that SA&T is necessary for compliance with regulations or cyber insurance, and 46% of organizations reported that employees tend to skip through SA&T as fast as possible.

Additionally, 37% of organizations admitted they lack confidence that employees remember what they have been taught during SA&T, and 29% of organizations reported that employees find SA&T to be annoying.

Email security is a necessity for stopping phishing attacks

The report highlights that people need real-time teachable moments that alert them to threats and engage them at the point of risk to tangibly reduce the number of security incidents that occur.

Data throughout the report highlights that advanced email security is a necessity for everyday business. Despite investments in traditional email security and SA&T, surveyed organizations remain highly vulnerable to phishing attacks, human error, and data exfiltration.

The only way to change the situation is to use intelligent email security solutions that augment traditional SEGs and Microsoft 365, offering the defense-in-depth required with a layered security approach.