chat
expand_more

Phishing Click Rates Decline while Socially-Engineered Attacks Grow

Cyber threats are constantly evolving. Cybersecurity teams are most effective when they deploy defenses that protect against the threats that pose the greatest risk at any given time. Socially-engineered attacks—one of the most financially damaging threats...
June 11, 2020

Cyber threats are constantly evolving. Cybersecurity teams are most effective when they deploy defenses that protect against the threats that pose the greatest risk at any given time. Socially-engineered attacks—one of the most financially damaging threats according to the FBI—are on the rise and this year’s Verizon 2020 Data Breach Investigations Report (DBIR) uncovered some interesting findings on the trend.

Thoughts on the 2020 DBIR

According to the report, phishing remains a fruitful method for threat actors. But in good news, Verizon found that click rates are as low as they’ve ever been at 3.4%, while reporting rates are rising, albeit slowly. It seems that security awareness training is succeeding with education about basic phishing attacks. The question is... is that enough?

While increased awareness seems to be a positive step, it may not actually be doing much to help today’s organizations, as business email compromise (BEC) attacks are unfortunately on the rise—and the high level of sophistication and social engineering makes them nearly impossible for an employee to spot. These modern BEC attacks lack the common threat signals to trigger detection from yesterday’s secure email gateways. These attacks do not have attachments carrying malware. Nor do they contain URLs leading to malicious websites.

These email attacks are highly-personalized for each individual target in an effort to convince them they are interacting with a trusted sender. So while security awareness training is proving to be effective in reducing click rates, the continually increasing rates of financial loss due to BEC tells a different story. We’re simply not doing a good job at stopping these payload-less and socially engineered attacks.

On a related note, the DBIR report also found that malware is on a consistent and steady decline over the course of the last five years. Verizon theorizes that with hacking and social breaches leading to credential theft, malware is no longer needed to maintain persistence. Malware “is a tool that sits idle in the attacker’s toolbox in simpler attack scenarios.” That said, malware often still plays a role in more complex incidents such as ransomware attacks.

BEC Continues to Grow

The data tells us that, more and more, threat actors are finding success with socially-engineered attacks. Malware detection tools are likely working—but they’re less needed, as recent attacks trend more toward social engineering.

So what does this mean? The tools we have in place to stop email attacks that carry malicious attachments or URLs to malicious websites are doing a good job. Microsoft EOP and Defender for Office 365, as well as the native security controls from Google Workspace, are effective.

Where there is a security gap is with our ability to address BEC—the payload-less, socially engineered attacks. We need a new, abnormal approach to complement the security capabilities of the cloud email platforms.

Learn more about how the Abnormal platform deployed with native API integration and stops business email compromise by requesting a demo today.

Phishing Click Rates Decline while Socially-Engineered Attacks Grow

See Abnormal in Action

Get a Demo

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.

Discover How It All Works

See How Abnormal AI Protects Humans

Related Posts

B Vendor Email Compromise Case Study Blog
See how a real vendor email compromise attack fooled multiple employees. Learn why VEC succeeds and how AI makes these threats more dangerous.
Read More
AI Innovation Using AI to Simplify Cover pptx
Explore how Abnormal's engineering team advances internal development with an AI-driven platform that standardizes infrastructure, reduces setup time, and enables both engineers and AI agents to build and deploy services more efficiently.
Read More
B Flux Panel Ecommerce Checkout Hijacking via Phishing
FluxPanel turns legitimate ecommerce checkouts into live data theft operations. Learn how this dark web tool works, the role phishing plays, and how to stop attacks at their source.
Read More
B Fin Serv Attack Trends Blog
Email attacks on financial services rose 25% year-over-year. Learn why FinServ is a top target and how threat actors exploit trust to deceive employees.
Read More
B Flask Phishing Kit
Learn how threat actors used Flask, a popular Python framework, to build a versatile phishing kit for evasive campaigns that bypass traditional defenses.
Read More
B-Trust Trap Social Engineering Blog
The psychology of the modern work environment has become a roadmap for attackers—and a blind spot for traditional email security.
Read More