Phishing Has Doubled US & UK Data Breaches (Plus Cyber Insurance Rates)

US & UK Data Breaches Are Exploding, Driving Up Cyber Insurance Rates

At the root of many damaging cybersecurity incidents, you’ll find phishing. In fact, 90% of incidents that end in a data breach start with a phishing email. Researchers at leading organizations have been sounding the alarm about phishing forever, but many organizations still fail to really take the threat seriously to their detriment. As phishing rates worldwide continue to climb, escalating risk for devastating cyberattacks like ransomware and business email compromise, there’s a new impetus for businesses to fight back against phishing.

Phishing Never Stops Evolving

While it may not seem like it on the surface, phishing is a complex hazard for businesses to navigate. One reason for that complexity is that phishing is a rapidly evolving area of cybercrime. The bad guys are always trotting out new scams. In fact, researchers at the University of Maryland estimate that cybercriminals launch a new cyberattack like phishing every 39 seconds. These statistics offer a starting point when considering the way that phishing impacts the business world right now.

Phishing Quick Hits

• 94% of malware is delivered by email.
• More than 80 % of reported security incidents are phishing-related
• 40% of phishing messages aren’t caught by conventional security or a SEG
• One-fifth of employees in a 2020 survey fell for phishing tricks and interacted with spurious emails
• 45% of employees click emails they consider to be suspicious “just in case it’s important.”

US & UK Data Breaches Are Up by Over 70%

Data breach numbers have been skyrocketing all over the world since the start of the global pandemic, and phishing is at the root of many of those breaches – an estimated 74% of organizations in the United States have fallen victim to a successful phishing attack that resulted in a data breach in the last 12 months. The US is the leader in phishing-related data breaches for 2021 so far, with rates 30% higher than the global average, and 14% higher than the same period in 2020.

But the US isn’t that far ahead, and the dramatic increase in phishing-related data breaches that are plaguing businesses isn’t just a US problem. In a recent UK survey of insider incident risk, researchers noted that 73% of the UK organizations that they surveyed have suffered at least one data breach caused by phishing attacks in the last year. Overall, researchers studying phishing found that 80% of IT professionals that they spoke to worldwide said that their organizations have faced an increase in the number of phishing attacks that they’re combatting in 2021.

US & UK Cyber Insurance Rates Are Also Climbing

The epic rise in phishing-related data breaches is also behind the serious rise in pricing for cyber insurance up by 56% in the US and 35% in the UK. Insurance industry experts point to ransomware as the cause of such steep increases. Ransomware cyber insurance claims worldwide clocked a 260% increase in 2020 as cybercriminals turned up the heat. Many insurers are placing restrictions on the coverage that companies can buy for phishing related disasters because of the frequency and severity of losses related to ransomware, including insurance giants like AXA have announced that they will no longer underwrite cyber insurance policies to reimburse companies for ransomware payments after cyber attacks.

What is Behind the Increase?

While there’s no single cause that can be isolated for the rise in phishing-related data breaches, three major factors have seriously influenced the phishing-related data breach landscape. The pandemic certainly set up the conditions under which phishing thrived last year. In a survey of executives, 90% said that their companies experienced an increase in cyberattacks due to the pandemic with 98% incurring significant security challenges including an increased volume of phishing messages within just the first two months. But that’s not the total story. Other contributors have also played a part.

Remote Work Has Created Too Much Opportunity for Cybercriminals to Resist

The rise of remote work has definitely been a factor in increased phishing. Email volume increased dramatically, and that increased opportunity for cybercriminals to conduct phishing scams. Google notched a more than 600% increase in phishing email at the start of the global pandemic and phishing remains at a high volume. Over half of IT leaders say that remote working during the pandemic increased data breaches caused by phishing, and that problem, doesn’t appear to be waning either. Google has registered 2,145,013 phishing sites as of Jan 17, 2021. This is up from 1,690,000 on Jan 19, 2020 (up 27% over 12 months).

• About 55% of remote workers use email as their primary form of communication.
• More than 40% of remote workers polled recently admitted that they’d made email handling errors that caused cybersecurity incidents.
• An estimated 50% of the IT leaders surveyed in a recent insider threat survey expect this trend to continue into the future.

Social Engineering Powered by Abundant Dark Web Data

Bad actors use all sorts of psychological tricks to lure their victims into the number one type of social engineering attack: phishing. These attacks are typically powered by abundant dark web data. About 60% of the data on the dark web at the beginning of 2020 could be used to harm businesses and more than 22 billion new records have been added including 103 GB in this year’s RockYou2021 dump. Socially engineered phishing attacks use that data to lure employees into opening dodgy emails, clicking suspicious links, handing over passwords, downloading sketchy attachments and engaging in other unsafe behaviors that can put your business at risk of damaging disasters.

• Socially engineered cyberattacks are just under 80% effective.
• Over 90% of successful data breaches are rooted in social engineering.
• More than 70% of IT professionals say they’ve experienced employees falling for a social engineering attack.

The Evolution and Weaponization of Ransomware

These days, every business is at risk of a ransomware attack, and the majority of those are delivered through phishing. Ransomware attacks can be especially sophisticated, often utilizing social engineering in order to lull targets into a false sense of security that encourages them to download a poisonous Office file (48% of malicious attachments in 2020 were office files) or provide a bad actor with their credentials under false pretenses – and giving the bad guys a golden opportunity to snatch data. Cybercriminals are especially interested in mounting attacks that enable them to use highly profitable double and triple extortion ransomware.

• 51% of businesses worldwide were negatively impacted by ransomware in 2020
• 65% of active cybercriminal gangs use phishing as their favored method of delivery for ransomware
• Two in five SMBs experienced a ransomware attack in 2020

How Can Businesses Reduce US & UK Data Breach Risk from Phishing?

With the world operating remotely during the pandemic lockdowns last year, email volume skyrocketed. An estimated 306.4 billion emails were sent and received each day in 2020, triple the average increase of past years. That figure is expected to continue to grow steadily as companies continue to grapple with the implications of the ongoing pandemic and virus variants that could lead to long-term remote work becoming the norm. If email volume continues to trend the way that experts expect, it is estimated to reach over 376.4 billion daily messages by 2025.

Unfortunately, businesses continue to be locked into remote operations in most of the world as the global pandemic enters a new phase, creating another round of opportunities that cybercriminals won’t want to miss. In this year’s ISACA State of Cybersecurity 2021 Survey, 35% of respondents reported that their enterprises are experiencing an increase in cyberattacks like phishing in 2021. That’s three percentage points higher than was recorded in that survey in 2020, a record-breaking year for phishing worldwide. That means that it is imperative for businesses to fight back against the rising tide of phishing by taking sensible precautions.