Revelations From CISA Proves Phishing is a Public Menace

Stu Sjouwerman
Founder and CEO   KnowBe4

A cyber threat that’s nearly three decades old continues to be the most prolific and potent form of cybercrime on the planet. Phishing attacks are growing in volume and sophistication. An estimated 255 million phishing attacks were observed in 2022, a 61% increase over 2021. There’s also a steep increase in spear-phishing attacks, smishing attacks, call-back phishing, and deepfake phishing. It’s scaling up as well, spreading beyond email tools to messaging apps, cloud-based file sharing platforms and text messaging service.

The Cybersecurity & Infrastructure Security Agency (CISA) released an interesting and informative infographic that outlines their phishing-related discoveries while conducting security assessments for federal and critical infrastructure providers. Below is a summary of their findings:

1. Phishers Use Crafty Subject Lines To Attract Attention

Cybercriminals pose as trusted individuals and reputed organizations to exploit human frailties  (like biases, impatience, greed and distraction) and lure victims, baiting them with clever subject lines that entice the user into clicking a malicious URL, downloading malicious attachments or responding to fraudulent messages. According to CISA research, the most successful subject lines are those that contain financial and security updates, organization-wide announcements, as well as user-targeted messages (such as training updates).

2. The Majority Of Organizations Fall Prey To Phishing

CISA security teams ran phishing simulations and discovered that in one of every 10 phishing emails, users either interacted with a malicious link or executed (opened) a malicious attachment. This proves that if a cybercriminal is really determined, they can easily cast a wide net, set up multiple hooks to increase their chances of success and persuade a victim (or victims) to accept the bait.

3. Cybersecurity Defenses Aren’t As Effective As We Think They Are

CISA discovered that 70% of emails that carried a malicious payload or links to malicious URLs were not being successfully blocked by network security defenses. In addition to this, 15% of emails with malicious URLs or attachments were not getting stopped by endpoint security solutions. This demonstrates that security solutions aren’t as foolproof as we would like to believe. Attackers only need one user to click, download, or reply to any undetected malicious email to successfully exploit or compromise organizational defenses.

4. Businesses Get A Narrow Window To Defend Against Phishing

CISA research revealed possibly the most alarming statistic — 84% of employees fall victim to phishing within just 10 minutes of receiving the phish. This proves that defenders get a very small window of opportunity to not only detect a phishing event, but also to respond by blocking the action and preventing it from spreading across the organization.

5. Only A Handful Of Employees Report Phishing

Phishing is one of the most common vectors for initial access. Cybercriminals exploit users to bypass technical controls and secure a foothold. Most security experts will agree that the best way organizations can detect such sophisticated attacks early — especially those that bypass security defenses — is if employees develop a habit of reporting phishing attempts or suspicious activity to security teams. Based on CISA findings, only 13% of employees report phishing, which considerably limits the organization’s ability to detect or respond to intrusions.

Best Practices That Help Prevent Phishing Attacks

A few best practices can reduce an organization’s susceptibility to phishing attacks including:

  • Develop Secure Behavior in Employees: Employees must be trained regularly on security awareness and best practices, and be coached on the latest phishing techniques so they remain vigilant and don’t easily fall prey to phishing scams.

  • Train Workers To Report Phishing Activity: Employees must be taught to report suspicious emails immediately and not forward them to anyone else in the organization. Supplying a “Phish Alert” button can help report suspicious emails to security teams instantly.

  • Reduce or Restrict Privileged Access: Avoid giving users blanket access to critical information and systems. Review and reduce the accounts with access to critical data, applications, or devices, and remove all non-essential privileges.

  • Deploy Phishing-Resistant Multi-factor Authentication (MFA):  Phishing-resistant MFA uses fingerprint readers, cameras and other hardware-level security checks, instead of SMS-based or push-based MFA that are increasingly vulnerable to phishing.

  • Enforce DMARC, SPF, DKIM: Use strong email security that enforces authentication standards like Sender Policy Framework (SPF), Domain Keys Identified Mail (DKIM), Domain-based Message Authentication, Reporting and Conformance (DMARC), since these can validate authenticity of a domain and prevent its unauthorized usage.

  • Leverage Threat Intelligence: CISA recommends organizations leverage threat intelligence feeds from security vendors, third-party experts, and internal sources (previous security incidents, telemetry from security devices and software) to proactively block known malicious domains, URLs, and IP addresses.
  • Patch Systems and Software Regularly: All systems and internet-accessible end user devices must be updated with the latest software and firmware regularly.

  • Continually Assess and Evaluate Phishing Defense Mechanisms: Conduct phishing simulation exercises to gauge the level of security maturity in the organization. Test defenses and incident response processes and be ready for any eventuality.


As cybersecurity defenses mature, phishing attacks will only intensify. This is because hackers always take the path of least resistance: hacking people instead of hacking complicated systems. It’s high time organizations realize this and invest in making their people, training, and processes more resilient to phishing scams and attacks.

Stu Sjouwerman

Tags: , , , , ,