IT teams in India struggle to understand phishing attacks

Organisations across the world are increasingly finding themselves targeted by phishing emails. But what exactly is phishing? The answer, according to a new survey conducted by cybersecurity company Sophos, even escapes IT professionals responsible for cybersecurity, given the complex nature of such attacks.  

About 83% of IT teams in Indian organisations said the number of phishing emails targeting their employees increased during 2020, according to the findings of a global survey titled ‘Phishing Insights 2021. 

Some 67% of IT teams in India associate phishing with emails that falsely claim to be from a legitimate organization, and which are usually combined with a threat or request for information. 61% consider Business Email Compromise (BEC) attacks to be phishing, and half of the respondents (50%) think threadjacking – when attackers insert themselves into a legitimate email thread as part of an attack – is phishing.

“Phishing has been around for over 25 years and remains an effective cyberattack technique. One of the reasons for its success is its ability to continuously evolve and diversify, tailoring attacks to topical issues or concerns, such as the pandemic, and playing on human emotions and trust,” said Chester Wisniewski, principal research scientist at Sophos.

“It can be tempting for organisations to see phishing attacks as a relatively low-level threat, but that underestimates their power. Phishing is often the first step in a complex, multi-stage attack. According to Sophos Rapid Response, attackers frequently use phishing emails to trick users into installing malware or sharing credentials that provide access to the corporate network,” added Wisniewski.  

Read: Sophos unveils four new areas of cybersecurity datasets, tools for enterprises

The good news is that most organisations in India (98%) have implemented cybersecurity awareness programs to combat phishing. Respondents said they use computer-based training programs (67%), human-led training programs (60%), and phishing simulations (51%). 

The survey also showed that four-fifths of Indian organisations assess the impact of their awareness program through the number of phishing-related tickets raised with IT, followed by the level of reporting of phishing emails by users (77%) and click rates on phishing emails (60%). 

All the organisations surveyed (100%) in Delhi, Hyderabad, and Kolkata said they have cybersecurity awareness programs in place. This was followed by Chennai where 97% have such programs, and then Bengaluru and Mumbai stood at 96% each. 

The report was based on data from 5,400 IT decision-makers in mid-sized (100-5,000 employee) organisations across 30 countries. About 300 respondents from India participated. The survey was conducted in January and February 2021.