Fear of phishing: Attacks are more frequent and more sophisticated

Fear of phishing: Attacks are more frequent and more sophisticated

According to the study, nearly nine out of ten respondents (88 percent) express concern that their employees, customers and/or partners may be the target of such attacks. And this concern is justified, because in the past 12 months, each company has been attacked using phishing an average of 26 times.

Phishing is one of the most popular attack vectors used by cyber criminals today – no wonder, the effort is often less than with other cyber attacks, but the profit can be enormous. Business leaders are aware of this growing threat, but also know that they can and must do more to improve their security. That shows a new study by OpenText / Carbonite + Webroot in collaboration with IDG. dr Dieter Kehl, Director Sales DACH at OpenText / Carbonite + Webroot, knows that the employees in particular play a crucial role.

The pandemic increases the pressure

The fear of phishing is gripping European companies: In the new study by IDG and OpenText / Carbonite + Webroot, almost nine out of ten respondents (88 percent) expressed concern that their employees, customers and/or partners could be targeted by such attacks. And this concern is justified, because in the past 12 months, each company has been attacked using phishing an average of 26 times.

The COVID-19 pandemic is not to blame for this, three quarters of those surveyed (74 percent) have observed an increase in attacks since the beginning of the pandemic. However, just under half of the organizations (46 percent) report phishing attempts that are explicitly related to COVID-19. Instead, criminals are trying to take advantage of the general insecurity and the increasing number of digital tools and employees who can be more vulnerable to fraud when working from home.

There is a risk of high material and immaterial damage

The consequences of a successful attack can cause major damage to companies: more than a third of those surveyed (36 percent) have experienced downtimes that lasted longer than a day, and 34 percent had sensitive data accessible to the criminals. In addition, a quarter of the study participants (24 percent) reported a loss in sales and one in five (21 percent) reported damage to their customers’ reputations.

Phishing takes various forms, which means that employees face the challenge of recognizing these attempted attacks in good time. In the study, the following attacks are rated as particularly difficult:

    • Standardized non-targeted bulk mailing – the type of attack that most organizations are sure to have been affected by or suspect they have been affected by in the past 12 months (78 percent)
    • clone phishing Modifying an existing email to replace a legitimate attachment, link, or other element with a malicious one
    • pharming legitimate web traffic is redirected to a fake site
    • Malware Phishing – Users are tricked into clicking a link or downloading an attachment that contains malware
    • Search engine phishing Injecting fraudulent websites into the results of popular search engine terms using paid advertising

The focus of cyber criminals is primarily on employees who have access to sensitive and/or financial data: IT and finance departments (55 and 35 percent respectively) and top management such as CEOs or the board of directors (25 percent).

Effective protection needs people and technology

Corporate IT security teams are aware of this threat and are trying to do more to protect against phishing. That’s why they rely primarily on security training for employees, which according to almost all respondents (97 percent) is effective in defending against such attacks. Accordingly, 85 percent have already established mandatory training and a further 8 percent are planning to introduce it. Important here: Security training should take place regularly to keep awareness of cyber risks high and to draw attention to new attack patterns.

Technology is also used: a good two-thirds of those surveyed have implemented a backup tool (69 percent) in their company to be able to restore deleted or encrypted data, as well as endpoint security solutions (66 percent). Intelligent predictive software, on the other hand, is only used by 44 percent of the organizations, although the introduction of such solutions is planned in a further 44 percent of the companies.

“Attackers go where there is a lucrative opportunity. That explains why IT departments, executives and finance people are still the most common targets,” said Prentiss Donohue, EVP SMB/C Sales at OpenText. “While we strive to get as close to 100 percent as possible, it is unrealistic to expect that no employee will ever click malicious links or fall for increasingly sophisticated and deceptively real-world phishing emails. Therefore, it is imperative for organizations to employ a multi-layered approach to protect against the latest threats.”

More information on the study results is available in the IDG white paper sponsored by OpenText / Carbonite + Webroot.


The study was conducted by IDG Communications in October 2021. On behalf of OpenText / Carbonite + Webroot, a total of 300 IT decision-makers from companies with 25 – 999 employees worldwide, 100 of them from Europe (Germany, France, Great Britain), were interviewed anonymously in an online survey.

IT security: What companies should definitely do now Previous post IT security: What companies should definitely do now
Simulation-based Digital Twins - it-daily.net Next post Simulation-based Digital Twins