Why Is Phishing So Common & How to Protect Against It?
Phishing is one of the most common cyberattacks in modern times, and it’s also a very devious and insidious one.
According to Techopedia, phishing attacks account for 36% of all the US data breaches, and around 83% of all companies go through a phishing attack every year.
Moreover, there are 1.35 million phishing sites around the world, with the number increasing as we speak.
Here’s why phishing is so common today:
- It’s based on social engineering and psychology, which are incredibly effective at deceiving people
- Its main attack vector is the email, which is heavily used today
- It doesn’t require advanced technical skills to pull off
- There are fewer cybersecurity complications involved in phishing
- It allows for targeted or widespread attacks
- It comes in several variants, depending on the attack surface and attack vectors
- Humans are naturally vulnerable to phishing attacks
- Lack of cybersecurity awareness in victims
- Phishing-as-a-Service is becoming more popular
- Organizations still have lackluster cybersecurity protections in place
- Cybercriminals are well-funded
- The emergence of remote work culture
- Cyber criminals are getting better at launching phishing attacks
I’ll get into each of these reasons below, provide more details, and explain what can be done to avoid them.
So, let’s begin!
11 Reasons for Why Phishing Has Become So Common
1. Social Engineering & Human Psychology
The defining elements of phishing attacks are social engineering and human psychology. Without them, not many people would fall for these attacks.
Here’s how this works:
- The hacker constructs a believable email pretending to be a legitimate party
- He sends the email to you, a client of that third party
- Inside the email, the hacker explains that there’s been a suspicious activity in your account and you need to change your credentials
- The hacker provides you with a link you can click to change your credentials
- You click the link
- You get redirected to a website that’s very similar to the authentic one
- You get tricked because you don’t expect it to be a con, and you don’t pay attention to the finer details on the website
- The hacker steals your credentials
This is social engineering 101, where a threat actor subtly manipulates you to surrender your private data to them.
The hacker will try to influence your perception and make you believe that they’re a legitimate party who wants to help you.
Manipulation and persuasion are the name of the game here.
When it comes to phishing, there are always four elements involved tied to social engineering:
- Assumed Legitimacy
This is where the hacker takes on the disguise of a well-known, respected, and legitimate company that you trust.
They know you trust that company unconsciously and you’re vulnerable to being tricked as a result.
You’re also be less suspicious of any communication coming from a legitimate company, so you’ll pay less overall attention.
- The Hook
There’s always a hook in all phishing emails, a reason to get you to click on the infected link.
The hook can be anything from a suspicious activity in your account, a change in the Privacy Policy, a new product/service being launched, etc.
The Hook exists to catch your interest and provoke either hype, desperation, anxiety, or familiarity.
- The Solution
Once the hacker has presented you with the problem (or product), they will provide a “solution” to that problem in the form of a link.
If they’re using the “suspicious activity in your account” pretense, they’ll provide you with a link to “change your credentials”.
If they claim that there’s been a modification with the Privacy Policy, they’ll offer a link to “verify the changes and confirm them”.
- The Psychological Factor
After you click on the link, you’ll be redirected to a website that’s designed to look as close as possible to the actual thing.
There will almost always be things out of place, images that don’t load, a mismatched button, grammar mistakes, and so on.
But you won’t notice them. You almost never do.
That’s because you don’t expect to be tricked. Human psychology is easily exploitable and predictable.
When you’re familiar with something, you feel safe and secure. You drop your guard, your awareness diminishes, and you don’t pay as much attention to it. That’s because you’re not expecting an attack.
And that’s exactly what hackers exploit, your expectation that you’re not in any danger because of the familiarity with a company.
That’s the number one vulnerability that makes phishing so successful and common these days.
The rationale goes something like “I’ve used this site for the last three years, and nothing bad has ever happened. This time shouldn’t be any different.”
2. Common Attack Vector
Phishing attacks are mainly done through emails, which are one of the most common and familiar forms of communication today.
This is important for two reasons:
- More targets means that there’s a higher chance for someone to become a victim
- Emails are easily accessible by anyone, especially users with little-to-no cybersecurity awareness
Combining these two factors, we get the golden goose of phishing attacks – a large attack surface and a gullible prey that’s easy to deceive.
Plus, emails are very familiar. You receive dozens, or more, per week, so you’re used to seeing them in your inbox.
Especially if it comes from a legitimate-looking company and it’s in your name. Even more so if it’s from your bank.
3. Easy to Pull Off
Phishing is one of the simplest cyber-attacks that a hacker can launch. It requires almost no technical skills at all.
Here’s how it would work:
- The hacker buys a ready-to-go malware/phishing tool
- He constructs a believable email through social engineering
- He attaches the malware either in the email attachment or via link
- Victim downloads the malware/clicks on the link, and their device is infiltrated by the hacker
It’s that easy, if you don’t want to conduct complicated operations like faking an entire website.
In many cases, you don’t have to go that far because most users will be fooled by the email alone.
Phishing attacks can rely 100% on social engineering and zero technical skills, in fact.
Many hackers don’t even use an infested link or attachment. All they do is talk to you and convince you to disclose your personal information via email.
Others may even talk to you on the phone to sell the deceit better. According to Security Intelligence, if the hacker also offers to talk to you on the phone to reassure you, the click rate of infested links rises to 53.2% from 17.8% if the hacker only sends an email.
People might become suspicious about an email but when they hear a friendly voice warning them about something, they suddenly turn soft and start believing.
It’s much harder to dismiss a more direct confrontation when it comes to these things.
4. Fewer Complications
Phishing attacks don’t have too many moving parts like other, more complicated attacks do.
There’s an email and an attachment or a link. And someone who can talk on the phone, but that’s not a necessity.
This means that not much can go wrong. Either the victim falls prey to the email and clicks on the link/downloads the attachment, or they don’t.
Hackers don’t have to juggle multiple attack vectors simultaneously, hack any systems, or watch out for cybersecurity mechanisms.
They don’t have to find vulnerabilities in systems or infiltrate any database with extreme care.
This means that there isn’t much to discourage a hacker from attempting a phishing attack. Anyone can try it because it takes little time, little skill, and there are little-to-no complications that can happen.
It’s also extremely unlikely or even impossible to track down someone behind a phishing attack.
If they do it the right way and cover their tracks minimally, they’re untraceable. A made-up email address is all you need to start phishing people online.
5. Targeted or Widespread Attacks
One of the major advantages of phishing attacks is that they can targeted specific individuals or groups of people, but may also be intended for more widespread use.
Spear phishing is a highly-targeted type of phishing attack that seeks to infiltrate on a specific individual’s device. Or it seeks to infiltrate a limited network of people or group of people.
For instance, a hacker may target the CFO of a company with a spear phishing attack in order to find banking information, credentials, and other information that may help the hacker obtain control of the company’s assets.
Spear phishing is extremely notorious for causing some of the biggest data breaches in history.
On the other hand, widespread phishing attacks are launched randomly, without targeting a specific person or group of people.
These may include promotional emails, banking emails, scam offers, and so on. The hacker simply changes the email to match that of the receiver and sends the same email over and over again.
This flexibility between targeted and widespread use makes phishing extremely attractive to hackers.
6. Versatile Attack Vectors
Phishing comes in four forms:
- Spear Phishing
- Whale Phishing
- SMS phishing
- Voice phishing
Spear phishing and whale phishing are both targeted types of phishing attacks where the hacker knows exactly who they’re attacking and why.
SMS phishing happens via SMS, and Voice phishing happens vice voice mails or voice calls.
If you’ve heard about the Colonial Pipeline data breach on May 2021, that was an email phishing attack that ended up costing the company $4.4 million in paid ransom, and an additional €3.4 billion in losses.
Phishing attacks can also deliver entirely new attacks (like ransomware) that work through different vectors.
This makes a phishing attack both a threat and a threat carrier, and its versatility is only matched by the malware.
There are as many methods to phishing attacks as there are persuasion and intimidation tactics in one’s vocabulary.
Social engineering allows for near-infinite attack patterns, depending on who the target is, which services they’re using, their gender, location, name, and so on.
Phishing takes all of these elements into account and delivers targeted or general attacks meant to steal data.
7. Lack of Cybersecurity Awareness
The lack of cybersecurity awareness is one of the top reasons for why phishing is so effective at stealing data.
Individuals and corporate employees alike are oblivious as to the actual risks of their online activities, the attack vectors, and prevention methods.
They’ve barely heard about phishing attacks, they don’t know how they work, what makes them dangerous, and how to avoid them.
Phishing simply works because people are uneducated in cybersecurity. In recent years, threat actors have started focusing on company employees instead of lone individuals with their phishing attacks.
Employee negligence is the number one contributing factor to data breaches from phishing attacks, in fact.
A Statista study shows that the most common employee mistake leading to data breaches in 2022 was a poor password hygiene.
Here’s the entire data chart:
| Reasons for Data Breach | Share of Respondents |
| Poor Password Hygiene | 80 |
| Misuse of Personal Email | 78 |
| Oversharing of Info on Social Media | 77 |
| Careless or Inappropriate Use of Smartphones | 75 |
| Careless or Inappropriate Use of Collaboration Tools | 75 |
Other common causes of data breaches are the misuse of personal email and the oversharing of info on social media.
These are all mistakes done by people oblivious to the risks they’re facing when going online.
Cybersecurity awareness is severely lacking, and it shows.
Here’s another Statista data chart that shows the most common obstacles in the prevention and response of email phishing attacks in organizations worldwide in December 2022:
| Obstacle | Share of Organizations |
| Lack of Automation | 38% |
| Lack of Predictability | 34% |
| Lack of Knowledge Among Staff | 33% |
| Lack of Proper Security Tools | 32% |
| Lack of Visibility |
31% |
| Lack of Personnel | 29% |
| Lack of Time | 29% |
| Lack of Budget | 28% |
The lack of cybersecurity knowledge among staff members is the third-biggest reason for why organizations can’t prevent and respond adequately to email phishing attacks.
A lack of security tools comes immediately after, which is also worrying and also another point on this list.
8. Lackluster Cybersecurity Protection
Organizations aren’t doing nearly enough to prevent or stop phishing attacks. Even in the face of multiplied cyberattacks in recent years, they’re behind on cybersecurity.
This lenience in cybersecurity protection manifests across several layers:
- Insufficient backup processes, where organizations don’t setup enough backups to restore data lost following a ransomware attack
- Lack of user testing, where organizations have no idea which users are more vulnerable to attacks
- Poor security solutions, where the organization implements quicker and weaker protections against attacks, ignoring more comprehensive ones like network segmentation, the zero-trust principle, and so on
- BYOD (bring-your-own-device) negligence, where employees bring their own devices at work, which aren’t tested for vulnerabilities or malware. A malware on the device can gain access to the network in a matter of minutes once connected
- Insufficient cybersecurity budget, where organizations simply don’t allocate enough money toward cyber-protection solutions. Even with the rise of cybercrime-as-a-service, organizations still aren’t increasing their cybersecurity spending
- Lack of understanding about the benefits of cybersecurity practices, where organizations have no idea why implementing certain practices can protect them from cyberattacks, so they don’t implement them
Large-scale companies are getting around to improving their cybersecurity practices because they have no choice.
The data housed in their databases is too important, and losing it in a data breach could spell disaster for them.
But low-scale and middle-scale companies are still out of touch with the reality of cybercrime and cybersecurity awareness.
9. Phishing-as-a-Service Is Cheap
There’s no doubt that the popularity of phishing has increased significantly since the emergence of cybercrime-as-a-service.
Phishing-as-a-Service provides easy-to-use phishing kits that anyone can buy from the black market and use at their discretion.
It completely trivializes cyberattacks because all you need is money and a computer connected to the internet.
That’s all you need to launch a phishing attack in as little as a few hours. Many black-market vendors sell you detailed instructions, email templates, and other tools to help you launch the phishing attack on anyone.
Cyberattacks have become much more accessible, as a result. Anyone can carry them out, at any time, with malware they bought minutes ago on the black market.
Plus, Phishing-as-a-Service is cheap and affordable to almost anyone. Amateur cyber criminals are flooding the internet nowadays.
Ransomware attacks have exploded in numbers, with phishing attacks coming in close behind.
10. Cybercriminals Are Well-Funded
Engaging in cybercrime requires resources, money being the most important. Some attack types are more expensive than others.
Phishing is in the middle of the pack, with a relatively accessible resource requirement. However, money wouldn’t be a problem either, since cybercriminals are pretty well off.
Due to having a lot of funds, cybercriminals can expand their phishing attack surface and learn new skills.
Here’s how money can help them:
- They can launch more attacks more often
- They can acquire more complex phishing tools
- They can increase the authenticity of the phishing messages
- They can increase the complexity of their phishing campaigns
- They can buy information about the victim from the black market
With all this, phishing attacks have become more threatening and more common. We’ve already seen an increase in phishing attacks in 2022 compared to 2021.
According to Trend Micro, 92% of all organizations in the US have fallen prey to phishing attacks in 2022. There’s been a 29% increase in phishing attacks since 2021.
Furthermore, the more phishing attacks a hacker can launch, the more money they’re likely to make because there will be more victims.
By funneling their gains back into their phishing tactics, they’ll make even more money, which is again funneled in their illegal schemes.
There’s also the fact that cybercriminals are no longer lone wolves. They tend to gather together and form groups, which lets them launch attacks more effectively and make more money faster.
11. Emergence of Remote-Work Culture
Ever since the COVID-19 pandemic, remote work has become the norm. Even now, after the restrictions have been lifted, we still haven’t fully returned to normal work.
While this made work more comfortable, it also made it more difficult for companies to enforce proper cybersecurity practices.
Every employee worked from their home devices, through unsecured connections, and paying less attention to their online activities.
Phishing attacks skyrocketed as a result, with them being more successful than ever before.
This isn’t likely to change unless companies call off employees to work in-office instead of remotely. Going back to office work will allow companies to implement large-scale cybersecurity solutions to all employees.
It’ll also be easier to ensure that these solutions are implemented equally and consistently through regular checks.
How to Protect Against Phishing Attacks
Phishing is a very slippery enemy because it can take many forms, and it relies on social engineering, which is hard to deal with.
It uses your trust to deceive and manipulate you into disclosing your personal data. But it’s not impossible to fight against it.
Here are a few steps in the right direction:
- Become aware of how phishing operates
The first step is knowing what you’re dealing with. You need to learn what forms phishing can take, how it looks, what it can do, and how to identify it without a shred of doubt.
If you do this, you’ll be able to discriminate between a legit-looking email and a clearly-looking fake one.
The most common phishing tactic is via emails that try to trick you into clicking a link or opening an attachment.
- Never assume the authenticity of any communication you receive
All communication can be hijacked or used against you. Unless it’s coming from someone very close to you via an encrypted channel, then assume the worst.
Especially if it’s an email from a company that you don’t communicate often with.
Does the topic of the email look fishy to you? Does it make you want to take an impulsive action in desperation? Then it’s likely a phishing scam.
Many emails will tell you that they’ve detected a suspicious activity in your account and you should change your credentials. They’ll also offer you a link to do that. An infected link. Don’t click it.
- Look for the signs
I’ve come across many phishing emails in my time online, and 99.99% of them either have grammar mistakes, spelling mistakes, or the text doesn’t sound natural.
You can easily see if a text is written by a native English speaker or someone who doesn’t know English all too well.
Look for that “off” feeling you get when you read the text. If it doesn’t come off as natural, then it’s likely a scam.
Look for any attachments to your email. If there is any, then you’re most likely dealing with a scammer. Nowadays, almost no company will send you attachments of any nature.
The presence of an attachment is already a warning sign by itself.
Then, there’s the link you should click to do what the email is telling you to do. In most cases, it’s going to be a hyperlink, so you won’t be able to see the URL at first.
Right-click on the hyperlinked word or phrase, copy the link, and then enter it into a text editor like notepad to see how it looks.
Does it look off to you? Is it an unknown link that doesn’t lead to any website you recognize? Then it’s likely a scam attempt and you should ignore it.
If it looks like a link from a company you recognize, go to that company’s website (via Google) and look at their homepage URL. Compare it to the one in the email. Is it identical or not?
If it has a few extra letters or if it sounds different, then you’re dealing with a phishing site, what we call “website spoofing” in the industry.
- Verify the authenticity of the email
If the email is coming from your bank, then contact them directly (either via phone or contact form on their site) and ask them about the email you received.
Alternatively, you can compare the email address from their website to the one you received an email from. Are they the same?
If not, then you should think twice about providing any personal information or accessing any links from the email. It’s most likely fake.
- Install an antimalware service
Antimalware tools will automatically block infected websites and give you a warning when you try to access them.
They’ll protect you in the background and keep your device safe even if you’re not that careful.
I recommend a premium antimalware service like Norton but free ones are better than nothing.
Conclusion
Phishing has become so common for a variety of reasons. It’s not only cheap, accessible, and easy to launch a phishing attack, but the victims are also very vulnerable and easy to deceive.
Both individuals and companies are ill-equipped to deal with cyberattacks, and social engineering excels at manipulation and deceit.
Protecting yourself against it is not difficult but it takes a proactive attitude and cybersecurity awareness.
You need to know the what, when, how, and why of phishing attacks, even at a basic level.
Cybersecurity starts with knowing who your enemy is. Stay tuned to PrivacyAffairs for more cybersecurity content!
Sources
Techopedia – 50+ Phishing Statistics You Need to Know – Where, Who & What Is Targeted
Privacy Affairs – The Art of Cyber Deception: Social Engineering in Cybersecurity
Security Intelligence – Why Phishing Is Still the Top Attack Method
Tech Target – Colonial Pipeline Hack Explained: Everything You Need to Know
Statista – Common Mistakes by Employees Contributing to Cyber Incidents Worldwide as of November 2022
Statista – Attendance of Cyber Security Training by Working Adults Worldwide in 2022, by Type
IT Governance – Hook, Line, and Sinker: 6 Compelling Reasons Behind Our Predisposition to Phishing Attacks
Privacy Affairs – Cybersecurity Deep Dive: What Is BYOD & 9 Security Risks
Privacy Affairs – Cybersecurity Deep Dive: What Is Cybercrime-as-a-Service?
Trend Micro – Worldwide 2022 Email Phishing Statistics and Examples