Last week, IRONSCALES published the research on image-based and QR code phishing attacks that they commissioned from Osterman Research. With the topic being top of mind across the email security market, we valued the opportunity to carry out a primary market research investigation of what organizations in the United States are actually seeing and experiencing from this new type of phishing threat. You can get a copy – without having to register for it – from the IRONSCALES web site.
There’s a lot of good data and vital recommendations in the white paper based on what we found from the survey. Get your copy from IRONSCALES and scan the key findings on page 2, and then dive into what is of most relevance to you. In this article, what I want to focus on is the eureka moment as we looked at the data.
Consider this finding from one of the questions in the survey: more than 70% of respondents self-assess their current email security stack as highly effective at detecting image-based and QR code phishing attacks. This is from IT managers, IT team leads, IT security managers, email security managers, email security administrators, etc. These are the men and women on the front lines that are deeply involved in securing their organization against traditional, new, and emerging phishing threats – such as image-based and QR code phishing attacks. While that means 30% are less than confident in the efficacy of their detection capability, 70% out of the gate is a pretty high benchmark.
But then juxtapose that finding with another one: only 5.5% of respondents said their current email security defenses were able to detect and block all image-based and QR code phishing attacks from reaching user inboxes. That means 94.5% had one or more of these new types of phishing attacks flow through their email defenses to an employee’s inbox, and based on that happening, 75.8% of organizations experienced a compromise of account credentials or exfiltration of sensitive information due to image-based or QR code phishing attacks over the previous 12 months. In comparison to the data point above, that’s quite a low benchmark of battle-tested reality. It could be the tale of the one that got through, but that doesn’t make logical sense if 75.8% of organizations experienced a compromise based on just one that slipped through. Many, many of these attacks must have made their way through to inboxes, and someone or someones at each organization got phished.
On that note, better cybersecurity awareness training and phishing simulations based on real-world examples of image-based and QR code phishing attacks was a highly ranked strategic intent across the organizations we surveyed. If attacks will get through, make sure employees know what to look out for. But equally / in parallel / it’s not one or the other, augmenting current email security defenses is just as essential. People plus tech work in combination; it’s not either/or.
We will be joining IRONSCALES for a webinar on April 11 to dive into the findings. There will be Q&A … so please register and attend to have your questions answered.
Leave a Reply