A report released this week by Britain’s National Cyber Security Centre showed a 15-fold increase in the number of scams removed from the internet. It said the agency had taken more fraudulent sites offline in the past year than in the previous three years combined.
In the first quarter of this year, according to government statistics, almost 40 percent of businesses in Britain reported digital breaches or attacks, with an average cost for medium to large firms of around 13,400 pounds, or $18,800. And the cost of a serious breach can be far more daunting: One study conducted last year by the Ponemon Institute for IBM Security, which interviewed 524 organizations across 17 countries, found that data breaches in 2020 cost an organization on average $3.86 million.
Phishing has also been used by scammers attempting to swindle grandparents out of their savings, by intelligence agencies to gain information and diplomatic leverage, and by IT departments to see if employees are paying attention.
“A sufficiently well-designed phishing email will get clicked on 100 percent of the time,” said Steven J. Murdoch, a professor of security engineering at University College London, adding that all companies were vulnerable to phishing.
But testing employees with fake emails about bonuses was “entrapment,” he said, adding that it risked harming the relationship between companies and employees, which was crucial for security. Some attacks, as an example, come from disgruntled employees, he said. “People responsible for fire safety don’t set fire to the building,” he said of the tests.
Rather than discouraging employees from clicking on any link, he said, more effective strategies could include blocking phishing emails, installing software to protect against ransomware, and addressing use of passwords.
Alienating employees also meant they could be less likely to report suspicious activity to their company departments, a crucial method of stopping attacks from becoming more serious, said Jessica Barker, a co-founder of Cygenta, a cybersecurity company.