Phishing Leads Data Breach Costs
Key Points
- The 2024 IBM Cost of a Data Breach Report identifies phishing as the second‑most common cause of breaches (15% of cases) and the second‑largest cost driver, averaging $4.88 million per incident.
- Phishing is a form of social engineering that exploits human trust by appealing to motivations of “gain” (carrots) or “loss” (sticks), aiming primarily to steal credentials or deliver malware that harvests those credentials.
- Attackers deliver phishing attempts through multiple channels: classic malicious emails, SMS messages (“smishing”), voice calls (“vishing”), and even QR codes, all designed to trick users into clicking links or revealing login information.
- Successful phishing often results in credential theft used for identity theft, account takeover, or the deployment of info‑stealer malware that continues to harvest passwords.
- Defensive strategies focus on user awareness of these tactics, verification of unexpected communications, and technical controls to detect and block suspicious links, messages, and QR‑code exploits.
Sections
- Phishing: Top Data Breach Driver - Phishing, a social‑engineering tactic that exploits human trust and emotions like greed or fear, is the second‑most common cause and cost driver of data breaches in the 2024 IBM report, primarily targeting credentials.
- Phishing Variants and Their Ruses - The speaker outlines phone‑based vishing, QR‑code qishing, and common social‑engineering contexts such as fake bank or courier messages that exploit fear and urgency.
- Spray‑and‑Pray vs Spear Phishing - The speaker contrasts indiscriminate, mass‑mailed “spray and pray” phishing attacks with focused, research‑driven spear‑phishing campaigns that impersonate known banks or employers.
- AI‑Powered Hyper‑Targeted Phishing - The speaker explains how attackers can use generative AI to scrape social‑media information, automate the creation of highly personalized phishing messages with perfect grammar, and launch faster, more convincing spear‑phishing campaigns.
- Secure Login Practices Overview - The speaker advises typing URLs manually, enabling multi‑factor authentication, and adopting FIDO Passkeys instead of passwords to greatly reduce phishing and credential‑theft risks.
- Email Anti‑Spoofing and Least Privilege - It advises organizations to deploy anti‑spoofing measures for inbound and outbound mail, continuously monitor traffic, and enforce the principle of least privilege by removing local admin rights from end‑user workstations.
Full Transcript
# Phishing Leads Data Breach Costs **Source:** [https://www.youtube.com/watch?v=nSGQkE67jcg](https://www.youtube.com/watch?v=nSGQkE67jcg) **Duration:** 00:17:18 ## Summary - The 2024 IBM Cost of a Data Breach Report identifies phishing as the second‑most common cause of breaches (15% of cases) and the second‑largest cost driver, averaging $4.88 million per incident. - Phishing is a form of social engineering that exploits human trust by appealing to motivations of “gain” (carrots) or “loss” (sticks), aiming primarily to steal credentials or deliver malware that harvests those credentials. - Attackers deliver phishing attempts through multiple channels: classic malicious emails, SMS messages (“smishing”), voice calls (“vishing”), and even QR codes, all designed to trick users into clicking links or revealing login information. - Successful phishing often results in credential theft used for identity theft, account takeover, or the deployment of info‑stealer malware that continues to harvest passwords. - Defensive strategies focus on user awareness of these tactics, verification of unexpected communications, and technical controls to detect and block suspicious links, messages, and QR‑code exploits. ## Sections - [00:00:00](https://www.youtube.com/watch?v=nSGQkE67jcg&t=0s) **Phishing: Top Data Breach Driver** - Phishing, a social‑engineering tactic that exploits human trust and emotions like greed or fear, is the second‑most common cause and cost driver of data breaches in the 2024 IBM report, primarily targeting credentials. - [00:03:08](https://www.youtube.com/watch?v=nSGQkE67jcg&t=188s) **Phishing Variants and Their Ruses** - The speaker outlines phone‑based vishing, QR‑code qishing, and common social‑engineering contexts such as fake bank or courier messages that exploit fear and urgency. - [00:06:20](https://www.youtube.com/watch?v=nSGQkE67jcg&t=380s) **Spray‑and‑Pray vs Spear Phishing** - The speaker contrasts indiscriminate, mass‑mailed “spray and pray” phishing attacks with focused, research‑driven spear‑phishing campaigns that impersonate known banks or employers. - [00:09:31](https://www.youtube.com/watch?v=nSGQkE67jcg&t=571s) **AI‑Powered Hyper‑Targeted Phishing** - The speaker explains how attackers can use generative AI to scrape social‑media information, automate the creation of highly personalized phishing messages with perfect grammar, and launch faster, more convincing spear‑phishing campaigns. - [00:12:37](https://www.youtube.com/watch?v=nSGQkE67jcg&t=757s) **Secure Login Practices Overview** - The speaker advises typing URLs manually, enabling multi‑factor authentication, and adopting FIDO Passkeys instead of passwords to greatly reduce phishing and credential‑theft risks. - [00:15:40](https://www.youtube.com/watch?v=nSGQkE67jcg&t=940s) **Email Anti‑Spoofing and Least Privilege** - It advises organizations to deploy anti‑spoofing measures for inbound and outbound mail, continuously monitor traffic, and enforce the principle of least privilege by removing local admin rights from end‑user workstations. ## Full Transcript
Guess what was the number two cause of data breach, according to the 2024 IBM
Cost of a Data Breach Report, coming in at 15 % of cases?
Also guessed, what was the number two in terms of cost of data breaches, coming in at $4.88 million?
Big number.
It turns out the answer to both of those questions is the same thing.
Phising.
No, that kind of fishing.
Yeah, that kind of phishing.
And a phishing attack is essentially what we refer to as a social engineering attack.
In social engineering, the attacker is basically trying to manipulate
the victim into doing things that they ordinarily would not and should not do,
and how do they do that?
Well, they're basically leveraging and exploiting our tendency as humans to trust each other.
If we see the right cues, then we tend to trust something.
And we use that evidence as the basis for that trust.
The problem is sometimes what we trust is not right,
and these fishing attacks generally gear around one or two different types of motivations.
One is carrots and the other is sticks.
In other words, you could think of it gain and loss or greed and fear,
but generally that's the theme of these fishing attacks.
So the bad guy is trying to exploit those feelings that we have, that we all have.
And what are they trying to get?
What's their goal?
Well, what they ultimately want from you, in most cases, are credentials.
They want the stuff that you use to log in with.
They want to steal your password so that they can then go do identity theft,
empty your bank account, do whatever, in your name.
In some cases, though, they're actually trying to plant malware on your system,
but guess what?
A lot of that malware is in the form of an info stealer, which is designed to steal credentials.
So again, we're seeing this is a big part of what all of this phishing is ultimately about.
In this video, we're going to take a look at the different types of phishing attacks,
as well as the defenses, the things you can do to keep yourself safe.
Okay, let's take a look at some of the different classes of fishing attacks,
and we'll break them down in terms of delivery, context, and type.
So first of all, we'll take a look at the most common delivery format.
Everybody is bound to have gotten one of these, an email.
You get an email and it's giving you certain instructions, things you need to do.
Invariably, there's a link in the email they want you to click,
and when you do, then that's when you're either going to get the malware or the stolen credentials will follow.
Another form, though, we can pull the same scheme if you're an attacker, but it doesn't have to be through email.
It could be through a different form of delivery.
It could be through an SMS message.
And this we call smishing.
It could also be through a voice message or a call where we get someone telling us what
to do or leaving a message and telling us to call back or do something like that.
We call this vishing.
And then not to be left out, QR codes, you know, those things, those square things that you'll see popping up all over the place
and they've got the little dots in them and you scan them with your phone and it takes you to a website.
Well, what website is it taking you to a legitimate one or the one of an attacker?
What do we call that?
Wait for it.
Qishing.
Yes, of course, there's quishing.
So and there are lots of other types.
These are just some of the more common ones that we're aware of these days.
Now, let's take a look at context.
So what could be the context?
In other words, the ruse, the story that's in this, whatever, however, it got to us.
A really common one is claiming to be your bank.
And we need you to log in and verify your details.
Well, first of all, if my bank can't keep up with my details or where my address is
and stuff like that, I don't want them holding on to my money.
So that's not what banks, real banks really do.
That's phishers trying to, guess what, play on your fears.
This is one of those sticks examples where they're using sticks as a way to get you to do something.
Another one is a courier, you know, somebody who is a delivery service
and they say we've got a package for you that was undeliverable.
Click on here so that we can confirm your address.
Well, so this is also playing a little bit on fears, you know, a feeling of missing out.
But more than anything, this is a chance.
This is a carrot.
This is like, Whoa, I wasn't expecting a package.
I can get a great package.
Great. Okay,
but then when you confirm your details, you're going to be ending up giving them
what they were after your credentials, probably in most cases.
Some of them come in and say, we're the following e -commerce site, some well-known sites,
and they'll say the order for the laptop just got processed against your credit card,
snd we're going to charge you $2,500 for that.
Click here to approve or click here if you didn't approve of that purchase,
and it turns out you didn't because they made the whole thing up.
And when you click in, again, you're going to get back to the same sort of issues that pop up again.
What could be some others?
How about this?
Everybody loves a contest.
Everybody loves to be a winner sweepstakes.
You win a gift card.
Okay. This is clearly a carrot.
This is a greed situation.
That one, by the way, is a fear situation.
I'm afraid my credit card is actually being charged.
Here we're looking at, okay, I just need to click in here, give them my details,
because after all, they have to know where to send all these grand prizes that I've just won.
By the way, you didn't win.
That's probably another form of phishing attack.
And then another one that's really growing in popularity these days is a lot of people are looking for jobs online
is a phishing attack that involves a job offer or some sort of, too good to be true.
Work two hours a day and do it from poolside, eating bonbons, and you're going to get days off.
You're going to get great pay.
This is just wonderful.
Of course, it's not.
This is another greed type of motivation or gain or carrot that's being thrown out there.
Again, you click into this and we're going to end up right back in the same place we did with others and many more.
Now, in terms of type, how do these the different phishing types, what would they look like?
Well, the most common, the one that we're all more familiar with is what I'll refer to as the spray and pray.
The attacker just sends these out indiscriminately and they send it to everyone saying, I'm your bank.
I've gotten these from banks claiming to be banks that I have never done business with.
So I if they're wrong, they'd only need to be right a very few times.
So it doesn't matter to them if they're wrong most of the time.
It's very indiscriminate.
Just spray and pray, send it out there to everybody and hope that some suckers fall for this.
Okay.
Another type, which is very different than that is called a spear phishing attack.
In spear phishing, it's much more targeted.
Maybe I know what your bank is or maybe I know where you work.
And so in that case, I'm going to send an email that looks like it's coming from your bank where you actually do business,
or from your place of work where I know you work.
And in that case, I've had to do a little more research, but maybe not.
In some cases, if it's employees, they're all going to, in their email addresses,
probably going to have the same domain after the at sign.
So we could, if I was a fisher, I could put together an email that says it's coming from there
and send it to only people that have that as their email address.
And that way it's going to seem more targeted.
People are more likely to believe it because it doesn't seem just as indiscriminate.
Another version of this is what's referred to as whaling,
and in a whaling phishing attack, what we're basically doing, the attacker
is going after the quote unquote big fish in the organization, the high level executives.
In this case, it's like a hyper spear fished hyper focused type of attack.
And they've done even more focus in terms of the way they put together their attack,
but here in this case, it's just the opposite of the spray and pray where we just send a whole bunch out and hope we get a few.
Here, we're really going after a few people that are well known and who would be high value targets.
And then one of the other things that's done in these is a cloning attack.
Take a legitimate email that maybe came from a bank and then
use all the icons and everything else, all the language, everything's exactly the same.
All they do is just substitute in their link, the link of the attacker instead of the link that is from the actual bank.
So it's very passable and very believable.
So cloning attacks are another version of this.
And again, this is just a partial list.
There are a lot of different ways that people do this stuff.
So that's phishing as we've traditionally seen it up to this point,
and I'm going to tell you, it's not going to get better.
It's going to get worse.
Stop and think about this.
AI is everywhere.
What's going to be the impact of AI on phishing attacks?
Well, it turns out if you had an AI, it could do a lot more research on the individual that you're trying to phish.
So your spear phishing, your whale phishing becomes even more focused.
How would they be able to do that?
Well, one way that they'd be able to get information would be through social media.
So I'm going to be able to do some research and use publicly available
sources, look on your social media accounts and see things about you,
and as a result, I can come up with a hyper -personalized attack.
It's going to be something that resonates with you and I'll know it will resonate with you,
and the AI did the research, did all the leg work.
So obviously one of the things you want to do is make sure your social media is not accessible to the entire world,
but using an AI to go read all of that stuff and come up with what are the
things that would cause a person to be triggered, that's going to automate that research process,
and another big impact, we've told people for years, the way to avoid phishing attacks is to look for certain clues.
And one of those is bad grammar and things like that.
Well, guess what?
One thing that AI can do really well, especially generative AI, it doesn't make those kinds of mistakes.
So if I'm a fisher and English is not my first language,
I can still use a generative AI chat bot to generate
my phishing email, have it do this research, and then have it generate, do the with no grammar errors.
It will be perfect grammar.
There'll be no spelling errors either.
I wish I could do that, but I can't.
And it's going to be able to do all of this at speed and at scale.
So we should, all the people that we've trained to look for grammar and spelling
errors as their primary cue for a phishing attack, we need to go back and unlearn
that from them because AI is going to make all of that stuff go away.
Okay, now we've covered the different types of phishing attacks
and how things will get, but now what are you supposed to do about all of it?
Don't just wring your hands.
There are some actions you can take.
Let's take a look at those defenses.
It turns out the United States National Institute of Standards and Technology
NIST came out with a really good document on exactly this.
I'm going to point out what some of the things that they came out with, along with some of my own ideas mixed in here,
but I would say number one, the number one job in terms of defenses is really about training.
Make sure that you, and if you're responsible for training
the folks in your organization, make sure they know about this and about this.
Show them this video, for instance, because the best defense I think
is someone's skepticism and awareness that these kinds of things are possible.
Then they're less likely to fall for all of this kind of stuff.
Teach them, as we've been saying for a long time, but continue to emphasize don't click on links that are in emails.
It's much better if you see, even if you think it is your bank and there's a link,
then go to the bank's website directly from a bookmark that you've saved, for instance.
Go type it in on the URL line in the browser.
That's a lot better than clicking on a link because a link can look like one thing
and when you click on it, it actually redirects you to some other place.
Another good technology to use here is multi -factor authentication.
If somebody's trying to steal your credentials, that is your password,
and that's all you have to do in order to log in is type in a password, then they've got your account.
If we have multi-factor authentication, then a password alone will not get someone into your account.
They also might have to have something that you possess, like maybe your phone that's been pre-registered or your face.
It turns out if somebody takes your face, you're probably going to realize that.
That makes it a lot more difficult for an attacker if they have to compromise multiple factors of authentication.
Another thing I'm a big believer in is this technology called PassKeys that comes
from an organization called FIDO, the Fast Identity Online organization.
It's an international standard and it's better than passwords.
I did a video on this, so you can go take a look, two videos if you want to see more about that.
I won't go into that in detail here, but what it does is it replaces a lot of the weaknesses of passwords.
People don't have to remember stuff to go along with it, and it makes it so that it's much more resistant to phishing attacks.
Nothing's ever 100%, but this is pretty darn solid.
If you get an opportunity, and you may see this more and more with websites
you go to log into, and it says, would you like to create a PassKey?
I'd say do it.
The PassKey will be stronger than a user-chosen password, because people really stink at picking passwords.
Another thing you could do, and a lot of people ignore this one, is use a secure DNS.
DNS is the thing, and this is an example of one Quad9.
DNS is the thing when you type in, for instance, a URL, like you want to go to a particular place like IBM.com,
then the internet doesn't know where that is, but it will
turn that into a numeric address that begins with 9 dot something dot something dot something.
That conversion is what the DNS does.
IBM has a free service that we've partnered with another company in order to make
the service available, and it's called Quad9, because if you replace the DNS in your software
with four nines by the IBM owns that nine dot subnet address range, then you're going to get something
that if you click on a link that's to a known bad place, it just won't resolve.
So it won't do this part.
If you had something else that was wrong, like 1bm .com, if
that's even a website, and it turned out to be a fake version that was a knockoff.
So it won't resolve that, and therefore you won't go to those places.
This is a very low -cost way that you can prevent those things from happening.
Another one is an industry standard called DMARC,
and this one stands for Domain -Based Message Authentication Reporting and Conformance.
It's a big mouthful, so we'll just call it DMARC.
Basically what it does is it's an anti-spoofing technology, and you want to do this
for the emails coming into your environment, implement that into your infrastructure.
If you're an end user, you won't need to do this.
This is something your IT staff should be setting up for you.
Also, implement it on the emails that are leaving your organization so that you are not the source of spoofed emails,
where someone's claiming to be a bank, and in fact it's coming from someplace else.
If everybody did this, this would make things a lot more secure.
Do a lot of monitoring.
Look and see what's coming into your environment and what's going out.
Be the eyes and ears so that you're on top of this stuff to begin with,
and then good idea is a lot of users have admin rights on their individual workstations.
Probably not the best thing for most users because they don't really know what to do with all that much power,
so it's best to turn admin rights off on individual
end user workstations and have only administrators with those capabilities,
and by the way, that's in keeping with the security principle of least privilege.
That is, you only have the access rights that you need.
That way, they're less likely to get the malware installed on their system in the first place
because they would need admin rights for new software to be installed.
Okay, so I admit that's a lot to take in.
All of the different motivations, all of the different types, and how it's moving in the future,
but just bear in mind, the good news is we do have some defenses.
There are some things you can do to keep yourself safe,
and if you do these things, you'll tip the balance back in your favor.