Industry executives and experts share their predictions for 2021. Read them in this 13th annual VMblog.com series exclusive.
Phishing Is a Gateway to Modern Fraud in Today's Distributed Workplace. In 2021, It Will Take AI to Stop It.
By Patrick Harr, CEO, SlashNext
2021 is the year businesses will have to wake up to the massive, high-stakes threat of phishing. Most CISOs assume phishing is a
corporate email problem and their current line of defense is adequate, but they
are wrong.
Bad
actors are highly intelligent, and they have access to sophisticated AI and ML
tools to constantly come up with new ways to outsmart corporate defenses, both inside and outside the network perimeter. According to Gartner, 95% of all cyberattacks
start with phishing.
Over the
last 30 days, 10% of company users were phished, according to live data we compiled across more than 100
large and mid-sized enterprises. Every day, SlashNext Threat Labs detect 21,000 new phishing attacks, almost double the
number of threats from a year ago, and SlashNext Threat Labs are seeing an alarming 50-75% attacks getting past conventional phishing defenses to
compromise enterprise networks.
So if you think your current defenses will
keep you safe, think again. And in 2021, we anticipate this problem will
get much, much worse.
Explosive Growth in Sophisticated Phishing Schemes
In 2021, we anticipate seeing explosive growth
in the number
and types of phishing
attacks. Beyond the commonly understood phishing schemes perpetrated in corporate email, we're seeing a dramatic increase in attacks across business collaboration platforms including Zoom, Skype, Teams, Box, Dropbox, and Slack. Mobile
devices are particularly vulnerable; our SlashNext Threat
Labs have seen a 600% increase in SMishing attacks
in 2020 over 2019. We're also starting to see an increase of mobile-specific attacks on social networking sites, and even in multi-player gaming platforms.
We're also seeing more sophisticated attacks.
Beyond conventional
credential stealing, in which email users are tricked into giving up their
login credentials to a fraudulent site, we are seeing an increase in scareware scams, where phishers attempt to scare people into taking
an action, such as sharing an infected SMS message; rogue software embedded in
browser extensions; and social engineering schemes like the massive Twitter
bitcoin scam that was perpetrated this summer by a teenager.
Attacks Are Personal
Phishing attacks are particularly effective because
they prey on human logic and emotion. The more a bad actor knows about you, the
more convincing the attack will be, and the more likely it will be effective. We have already seen regionalized attacks happening in
the United States, China, and Russia. In 2021, we can expect phishing
attacks to become more individualized and tailored with the help of AI.
Cybercriminals
have access to cloud-based AI and ML tools and techniques they never had access
to before, so they can spin up personalized attacks very quickly and very
efficiently.
The Widening Attack Surface
The seismic shift to long-term remote working and near-universal BYOD, are pushing CISOs to adopt perimeter-less defense strategies that protect corporate users working inside and outside the firewall.
The convergence of business and personal life on the same
device makes
protection particularly challenging. It's not uncommon for a corporate user to go from corporate email to Zoom to Facebook
Messenger to Gmail and then back to Slack. By opening and closing so many
personal and business applications vulnerable to phishing threats, successful credential stealing and personal attacks can, unfortunately, become a backdoor to corporate data and exposure.
For instance, a successful credential-stealing attack
can obtain passwords and then be used to enter the network to obtain critical
data. Remote learning, and the inherent risks of corporate users sharing networks with children participating in remote learning
and gaming,
compound these risks.
Cybercriminals have a wider attack surface with less
protected communication channels to exploit. As bad actors increase their use of supercomputing and artificial intelligence (AI)- based techniques, we anticipate
a massive increase in phishing attacks focused on mobile and endpoint devices
resulting in more corporate IP theft and monetary losses in 2021 than in
2020.
ML
and AI-Based Phishing Defense is Paramount
Given the fast-growing, increasingly sophisticated threats, businesses can no longer rely on a human-only approach to security. In 2021, expect a massive migration from human only forensics to AI forensics and ML learning, where ‘machines fight machines', to protect users both inside and outside the network from attack.
##
About the Author
Patrick Harr is CEO of SlashNext. With more than 30 years of security and cloud
industry experience, he directs a workforce of security professionals focused
on protecting people and organizations from phishing anywhere. Prior to SlashNext, Harr was CEO of cloud file services provider Panzura, which he transformed into a software subscription
company, grew ACV 400%, and led the organization to successful acquisition in 2020.
He has held senior executive and GM positions at Hewlett-Packard Enterprise
(HPE), VMware, BlueCoat (formerly CacheFlow), and was CEO of multiple security and storage
start-ups, including Nirvanix (acquired by Oracle), Preventsys (acquired by McAfee), and Sanera (acquired by McDATA).