Phishing remains top threat to businesses, IBM says

First published on

Dive Brief:

• Phishing remained the top initial access vector for security incidents last year with more than 2 in 5 of all incidents involving phishing as the pathway to compromise, IBM research found.
• Three in 5 of all phishing attacks were conducted through attachments last year, according to IBM Security X-Force’s annual threat intelligence report released Wednesday. Phishing via links accounted for one-third of all phishing attacks. 
• One-quarter of attacks involved the exploitation of public-facing applications and 16% abused valid accounts for access. Just 1 in 10 involved external remote services. 

Dive Insight:

The consistent ranking of phishing as the most prevalent initial access vector underscores the need for organizations to focus on people, process and technology, according to Stephanie Carruthers, global head of innovation delivery and chief people hacker at IBM Security X-Force Red.

Phishing has enjoyed longstanding success as an initial access vector and attackers are constantly innovating their approach to keep phishing alive and thriving, Carruthers said.

“It only takes one person to click that link that could lead to a major compromise,” Carruthers said via email. “And it works because it’s simple and plays on human emotions. That’s a trifecta right there and that’s what’s providing staying power.”

The latest phishing tactics need to be shared with employees so they know what to look out for, such as phishing emails that are getting harder to spot.

Thread hijacking, which involves a threat actor hijacking an email account and responding to email threads pretending to be the original victim, doubled in 2022.

“What makes thread hijacking so dangerous is that attackers are hitting people when their defense is down, after that first level of trust has already been established,” Carruthers said.

The research highlights trends and points of compromise that played out in some of the most high-profile incidents of 2022.

Incidents involving identity access managers, such as Okta and Twilio, impacted many potential downstream victims and in one case they were intertwined when a phishing attack against Twilio exposed one-time passwords of multiple Okta customers.

The majority of penetration tests IBM Security X-Force Red ran for clients in 2022 revealed improper authentication or handling of credentials. Many organizations lacked visibility into applications and endpoints exposed through identity access management services, the report found.

The report is based on research data IBM Security X-Force gathered in incident response engagements throughout 2022, in addition to vulnerability and exploit databases and network and endpoint tracking.