Although it’s important to be optimistic for 2022, it’s tough to deny that the major obstacles the world has faced since the outbreak are still present. In a world where an ever-increasing percentage of the workforce is transitioning to working from home (WFH), leaving enterprises more vulnerable than ever to a wide range of attacks, cybersecurity remains one of the top global targets for cybercriminals.

Naturally, certain dangers are more concerning than others. Phishing is the most damaging attack for those who use email (which is an incredible four billion of us every day). According to CISCO’s 2021 cybersecurity threat trends study, 86 percent of firms had at least one person click a phishing link last year. Furthermore, the stakes are rising: the average cost of a data breach increased to $4.24 million in 2021, up from $3.86 million in 2020. And there’s little reason to expect that these figures will fall any time soon.

This raises the question of why this is the case. Why haven’t companies become accustomed to and prepared for these kinds of attacks? Why are hackers able to steal more data and money every year using a strategy that appears to be outdated?

We’ll try to answer some of these questions in this blog.

Phishing has gotten more targeted.

Regardless of how many cybersecurity layers your business covers (or tries to cover), the bottom line — and the largest risk — is always the human aspect. Before adopting security procedures, achieving different technical compliances, or installing various defensive software, the first step toward safety should be cybersecurity awareness training provided to all employees, regardless of position within the organization.

Untrained employees are the easiest prey for targeted phishing, also known as sophisticated spear phishing. While responding quickly to an email that appears to originate from a reputable source, such as a vendor, the financial department, or even your company’s CEO, may seem like a no-brainer to most, it may have disastrous implications if done without sufficient caution.

The illusion of trust is used to target data in spear phishing attacks. As a result, employees must learn to be suspicious of demands for a rapid financial transaction, an e-signature, or any other sensitive information that hackers may find valuable. Phishing emails may even include their name, work title, or any information that can be obtained casually on social media—all while being formatted like a genuine professional (or casual) email with no obvious red flags.

These emails frequently contain a link somewhere in the body—and how many times do we ponder before clicking on an email link? Not nearly enough, it appears. According to a FireEye analysis from 2021, spear phishing emails had a 70% open rate, with 50% of recipients clicking on included links (which is ten times the rate for basic, mass phishing).

It is evident that unless companies stand up and push for change, things will continue to deteriorate. Email will continue to be a primary target of more sophisticated attacks in 2022, requiring businesses to take basic security measures more seriously than ever before.

Phishing clones

As if sophisticated spear phishing wasn’t awful enough, thieves have created a new danger that may fool even the most vigilant users: Clone phishing

Consider receiving a valid email with a link, then receiving an updated version of the same email a short time later. It might be anything—an invitation, a customer list, or a refund notice—the body of the email remains mostly unchanged, with only the links “updated.” Who would suspect evil intent there?

Cybercriminals use clone phishing to reproduce a real email that they have intercepted and replace the genuine links with malicious ones, which generally results in malware installation. In the aftermath, not just the receiver but also their whole contact list is in danger.

Naturally, this form of assault is particularly cruel because it is based on the original email’s and sender’s legitimacy. It is recommended that users use extreme caution when receiving emails containing:

  • Subject lines implying a time-sensitive issue (for example, “Hurry”, “before it’s too late”, “expires on”)
  • Emails that highlight the importance of the recipient accessing a link or a file
  • Invitations to events or the collection of rewards or promotions, particularly if the email is re-sent

The most common types of malicious content and stolen data.

As previously stated, phishing emails typically include attachments and/or links that entice recipients to click on them. According to a 2021 Tessian survey, PDFs are the most commonly used malicious attachments. This might be explained by the fact that PDF is a trusted and well-known format—it can also be used to hide malicious links, run JavaScript, generate bogus invoices, and so on.

According to the same source, there was an increase in malicious PDFs and Microsoft Office files as a result of the shift to remote work following the pandemic’s outbreak. However, as individuals begin to return to work and become accustomed to the phishing storm that has touched many industries, attachments are becoming a less efficient tool to steal data. In fact, in 2021, 76 percent of malicious emails did not include an attachment. The fewer the symptoms, the less likely it is that the problem will be detected (in time, that is).

Successful assaults are designed to steal as much private, sensitive, and business-critical data as possible. For thieves, stealing data is similar to completing a puzzle with various valuable parts. The following are the top three categories of data currently targeted by phishing attacks:

  • Qualifications (passwords, PINs, account names, etc.)
  • Personal information (full name, email and home addresses, etc.)
  • Medical knowledge

Credential theft is head and shoulders above the competition. According to Verizon’s 2021 DBIR report, SMBs were susceptible to 47 percent of data breaches (1,037 incidents, 263 with verified data disclosure)—credentials account for nearly half of the data stolen (44 percent ). In a world where at least 60% of business-related passwords fail to fulfill baseline security requirements, these figures spell calamity.

How can you keep safe?

We live in a hazardous world, but it should not make us despair. There are tried-and-true methods for staying on top of phishing attacks, no matter how complicated they are. So, let me quickly summarize them:

1. Always double-check the URL

When in doubt, avoid clicking. Hover your mouse over the link to see where it takes you. If the address displayed in the hovering link differs from the address stated, do not click on it. If you unintentionally click the link, do not submit any information on the website; instead, simply shut the browser window.

2. Keep an eye out for dangerous email attachments.

When receiving email attachments, use caution. First, save the file to your downloads area and look at the file extension. If any of the following are present: If the file name ends with.JS,.EXE,.COM,.PIF,.SCR,.HTA,.vbs,.wsf,.jse, it is likely dangerous and you should not click on it or attempt to open it.

Please keep in mind that these are only a few of the more popular malicious extensions; there are many more that you should be wary of.

3. Include cybersecurity Awareness training for employees.

Our service, BPP, can assist you in protecting your employees from phishing attacks. BPP helps your employees by offering engaging training videos that teach them about various cybersecurity topics like phishing emails. We also generate phishing emails that we send to your employees to test them on what they have learned from the training. BPP calculates your staff’s scores and generates an “Employee Score”, which we send to managers so they know which employees need more training. If you are interested in our BPP service, get in touch with us now!


The rise of phishing assaults in recent years has demonstrated how successful targeted and relevant attacks can be. Because of the abundance of information available online, cybercriminals may move from a bulk approach to sending personalized emails that have a far better chance of success. And, as technology improves to automate much of this reconnaissance, it is logical to expect attackers to take advantage of it.

Obviously, 2022 is predicted to be another difficult year for cybersecurity professionals worldwide. While keeping employees informed and aware of the dangers to their work and privacy is an important first step, adopting an effective security solution is also required.