HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Phishing Emails Used in 91% of Cyberattacks

A single phishing email is all it may take for a cybercriminal to gain access to a computer network and sensitive data. Even when organizations have developed highly sophisticated cybersecurity defenses, a single spear phishing email can see those defenses bypassed. According to a recent study by PhishMe, 91% of cyberattacks commence with spear phishing emails.

For the study, PhishMe assessed response rates from more than 40 million phishing email simulations that were sent to around 1,000 organizations over the past 12 months. The study revealed that even though healthcare organizations conduct security awareness training, healthcare employees have a phishing email response rate of 31%.

Cybercriminals use a range of social engineering techniques to fool end users into clicking on malicious links, opening infected email attachments, or revealing sensitive information such as login credentials.

End users are often fooled into opening fake order confirmations, job applications, notifications of failed deliveries, security updates, and legal notices, but in many cases the phishing emails are even more basic. PhishMe reports that employees commonly respond to blank emails containing malicious links and attachments.

However, the most effective phishing emails were those used by the actors behind Locky ransomware. Locky has fast become one of the biggest threats since it was first discovered in February this year. The email campaigns used to spread the ransomware are particularly successful because they are highly targeted and have been developed specifically to attack businesses. An analysis of phishing emails used to distribute Locky ransomware showed that the Insurance and healthcare industry response rates were particularly high, with response rates of 34.7% and 24.9% respectively.

The phishing emails are personalized, which increases the likelihood of the target responding to the email. Personal information such as the recipient’s name is included in the emails to improve response rates and the emails closely resemble orders and requests that are received on a daily basis by office workers. Whereas phishing emails used to be fairly easy to identify due to the number of spelling and grammatical errors, the quality of phishing emails has improved considerably in recent years. Phishing emails are now much harder to identify and unless employees receive training – and that training is put to the test – response rates are likely to be high.

The report indicates the main reasons why employees open phishing emails are curiosity, fear, urgency, and the offer of a reward or recognition. Fear of job loss drives many individuals to open phishing emails, click on malicious links, or open infected email attachments. Busy workloads also make employees more susceptible, with time-pressured employees failing to stop and think before opening emails.

Technical solutions to prevent the delivery of phishing emails should be used to reduce risk; however, it is essential to train all workforce members how to identify phishing emails and to condition workers to report suspected phishing attacks.

PhishMe claims susceptibility to phishing emails falls to 20% after one failed phishing simulation. The more practice employees get, the better they become at detecting threats. PhishMe points out, “With repetition, a sustained and well-executed phishing simulation program, focused on conditioning employees to report, provides a significant reduction in overall exposure to risk from this ever-changing attack vector and improves the security posture of an organization.”

It is also possible to significantly reduce the time taken to identify breaches from days to minutes if employees are conditioned into reporting potential threats. The average time taken to identify a breach is 146 days, although with conditioning this can be reduced to an average of 1.2 hours according to the study.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.