ABERDEEN PROVING GROUND, Md. — Phishing is one of the most pervasive and dangerous cyber threats, targeting both individuals and organizations. For National Cybersecurity Awareness Month, CECOM recognizes that identifying and reporting phishing attempts is more critical than ever as malicious actors aim to breach networks through human error. Timely detection and reporting are crucial to our nation’s defense against cyberattacks.
The growing threat: phishing in numbers
According to data from the Anti-Phishing Working Group, a non-profit identity theft prevention consortium, phishing accounts for 90% of cybersecurity breaches worldwide, with 1.2 million attacks in the first half of 2023, a 40% increase since 2022. The Cybersecurity and Infrastructure Security Agency reports that email phishing attempts have increased by 30% over the past two years because of the rise in remote work and the reliance on digital communications. In 2023 alone, organizations faced an estimated $17,700 loss per minute due to phishing-related cyberattacks.
IBM’s 2023 Cost of a Data Breach report found that phishing attacks have become the most common cause of data breaches, with an average breach costing an organization $4.91 million. According to Gen Digital Inc., a cybersecurity company, 94% of malware is delivered via email. For critical sectors like defense, such attacks compromise sensitive information and jeopardize national security.
Why reporting matters
Timely reporting of phishing attempts allows cybersecurity teams to neutralize threats before they escalate into more significant breaches. Yet, many phishing emails go unreported. According to the 2023 Verizon Data Breach Investigations Report, 85% of breaches involved human error, 36% of breaches were linked to phishing, 25% of employees opened phishing emails, and more than 11% clicked on malicious links, leaving their organizations vulnerable to malware or ransomware infiltration.
CISA’s Secure Our World initiative emphasizes that rapid incident reporting strengthens an organization’s defense by preventing attackers from gaining a foothold. CISA also warns that 60% of ransomware attacks originate from phishing emails, underscoring the importance of early detection, reporting, and deleting to block ransomware deployments before they spread across networks.
How phishing works and who it targets
Phishing attacks exploit human psychology, often using urgent language or fear tactics to deceive victims into sharing sensitive information. Attackers pose as trusted contacts, government agencies, or familiar businesses, tricking users into clicking links or downloading harmful attachments. These tactics can bypass automated defenses, making human vigilance the first line of protection.
Defense personnel are desirable targets, with attackers attempting to gather sensitive information or disrupt operations. Spear-phishing is targeted phishing tailored to individuals, which is a common tactic cybercriminals use to infiltrate military systems and supply chains. Attackers pose as employees reaching out to another co-worker or affiliate, spoofing an accurate email address, with acute knowledge of the organization's structure and personnel. It could be something simple, such as an employee seeking an update or change to their payroll or other sensitive information from a Gmail account. A best practice for DOD personnel is to trust only digitally signed and encrypted emails with verified credentials, like a DOD Common Access Card.
Types of phishing attacks:
· Email phishing: This is the most common form, in which attackers send emails that appear to be from trusted sources, like banks or colleagues. Spear phishing: Targeted phishing attempts aimed at specific individuals or organizations using personalized information to increase credibility.
· Whaling: A subset of spear phishing, targeting high-level executives or influential people in an organization.
· Smishing, or SMS phishing: Phishing attacks via text messages.
· Vishing, or voice phishing: Phishing attempts via phone calls, often pretending to be banks or tech support.
· Pharming: Redirecting users from legitimate websites to fraudulent ones without their knowledge.
These phishing tactics exploit different behaviors. People are naturally inclined to engage with someone over the phone, driven by social norms and personal interaction. In contrast, emails often feel less urgent, leading recipients to delay or ignore them. Phishing attacks leverage this difference. Vishing plays on the human need to respond in real-time, while email phishing relies on slipping through unnoticed amidst routine communication.
Implementing best practices
Recognizing phishing attempts is the first step in preventing them. These measures can safeguard against phishing attacks:
- Look for warning signs: Be cautious of emails with urgent language, strange requests, or unexpected attachments. Verify sender addresses carefully. Even a minor spelling error can indicate a phishing attempt. For example, a phishing attempt could use @welllsfargo.com instead of @wellsfargo.com.
- Use multi-factor authentication: Even if credentials are compromised, MFA provides a second layer of defense to prevent unauthorized access.
- Implement "zero trust" architecture: Adopt a zero-trust model for network security, which means that every user, inside or outside the network, must be authenticated and verified.
- Report or delete suspicious emails: Use built-in “report spam” functions or follow your organization's reporting procedures to include your security manager or cybersecurity service provider and delete the message. Reporting helps cybersecurity teams analyze patterns and block similar threats in real time.
- Pay attention to cybersecurity awareness training: Phishing tactics evolve quickly. Regular cybersecurity awareness training helps employees stay updated on the latest threats and avoid falling victim to social engineering tactics. Complete Cyber Awareness training, and seek out specific resources such as DoD Cyber Exchange Public Phishing Awareness.
Creating a culture of awareness
Fostering a culture of cyber vigilance is essential in maintaining security within military organizations. CISA’s guidelines stress that cybersecurity is everyone's responsibility, from leadership to new employees. Regular reminders and proactive communications about emerging phishing threats create an environment where employees feel comfortable reporting suspicious activities.
Secure our world against phishing
Recognizing and reporting phishing attempts is more than just a compliance exercise—it’s a critical step in securing systems that support national defense. CECOM advises you to stay alert and follow CISA’s best practices to minimize the risk of phishing attacks, protect sensitive data, and contribute to a safer cyber environment for all.
For more information about CISA’s Secure Our World initiative, visit CISA Secure Our World. For specific best practices and guidance regarding phishing prevention, visit CISA Phishing Guidance.
Social Sharing