Phishing attacks targeting organisations rose up considerably during the pandemic, as millions of employees working from home became a prime target for cybercriminals. A large majority (83 per cent) of IT teams in India said the number of phishing emails targeting their employees increased during 2020, according to a report by UK-based cybersecurity firm Sophos on Monday.
“It can be tempting for organisations to see phishing attacks as a relatively low-level threat, but that underestimates their power. Phishing is often the first step in a complex, multi-stage attack.”
According to Sophos Rapid Response, attackers frequently use phishing emails to trick users into installing malware or sharing credentials that provide access to the corporate network,” Sophos’ Principal Research Scientist, Chester Wisniewski said in a statement.
The findings also reveal that there is a lack of common understanding about the definition of phishing. For instance, 67 per cent of IT teams in India associate phishing with emails that falsely claim to be from a legitimate organisation, and which are usually combined with a threat or request for information.
As many as 61 per cent consider Business Email Compromise (BEC) attacks to be phishing, and half of the respondents (50 per cent) think threadjacking – when attackers insert themselves into a legitimate email thread as part of an attack – is phishing.
Most of the organisations in India (98 per cent) have implemented cybersecurity awareness programmes to combat phishing. Respondents said they use computer-based training programmes (67 per cent), human-led training programmes (60 per cent), and phishing simulations (51 per cent).
Four-fifths of Indian organisations assess the impact of their awareness programme through the number of phishing-related tickets raised with IT, followed by the level of reporting of phishing emails by users (77 per cent) and click rates on phishing emails (60 per cent).
All the organisations surveyed (100 per cent) in Delhi, Hyderabad, and Kolkata say they have a cybersecurity awareness programme in place. This was followed by Chennai where 97 per cent have such programmes, and then, Bengaluru and Mumbai at 96 per cent each.