How to Stop Sophisticated Phishing Attacks

Jeff Hershberger
Jan 04, 2023

When drawing up strategies against cyber threats, it’s important to identify threats that can have the biggest economic impact on your organization. Knowing which threats tend to cause greater financial loss will help you determine where and how to prioritize your cybersecurity efforts and resources. 

Last year, the global average cost of a data breach was USD 4.35 million. Of all initial attack vectors, phishing was the costliest. Breaches where attackers used phishing as a way of gaining initial access cost an average of USD 4.91 million. It’s also the second most common initial attack vector, with 16% of breaches starting with a phish. These findings were revealed in the 2022 Cost of a Data Breach report.

Phishing Paves the Way for More Sinister Attacks

Being an initial attack vector, phishing can lead to a chain of succeeding threat actions. Once an attacker gains an initial foothold on your network, it can deploy ransomware, connect to a C2 server, perform lateral movement, and so on. It can even create a backdoor for future intrusions. 

We all know that ransomware is one of the most disruptive threats in existence. A ransomware outbreak can cripple your entire network. According to the 2022 Verizon Data Breach Investigations Report, 35% of ransomware incidents last year involved the use of email. 

Longer Detection and Containment Times Amount To Higher Costs

In the past 7 years, Cost of a Data Breach report data has consistently shown that a longer identification and containment period, a.k.a. the “breach lifecycle”, corresponds to higher costs. For example, in 2022, data breach lifecycles less than 200 days cost an average of $3.74M. By comparison, lifecycles that exceeded 200 days cost an average of $4.86M.

As hinted earlier, cyber attacks consist of multiple stages. Each stage can also consist of multiple threat actions. For example, after establishing a beachhead on one of your systems, an attacker might perform a series of lateral movements and privilege escalations. The attacker might compromise multiple systems along the way until it reaches its main target. Thus, the longer it can stay undetected, the more advantageous for an attacker. 

Phishing-initiated data breaches are known to remain undetected for several months. According to the same report, the mean time to identify and contain breaches caused by phishing is 295 days—practically 50% above the 200-day mark.

Why It’s Crucial to Block Phishing Attacks

As a top initial attack vector, phishing plays a major role in most cyber kill chains. That means if you can stop phishing attacks in their tracks, you can prevent most cyber attacks from gaining an initial foothold and impacting your business. Almost every time you stop a phishing attack, a more sophisticated, more disruptive, more costly cyber attack is nipped in the bud. 

Whenever you block a phishing attack, you would have likely also prevented a ransomware outbreak, a multiple-day disruption, a hundred-thousand-account data breach, a multi-million dollar loss, and a multi-year damaged reputation. No doubt, the benefits of stopping a phish are substantial.

In the field of cybersecurity, phishing is an ancient tactic. Consequently, security experts have already spent a great deal of time studying it and crafting countermeasures against it. One particular countermeasure works well, but it’s not 100% effective. Let me explain. 

Current Phishing Countermeasures Aren’t Enough

82% of data breaches in the past year involved the human element. Those incidents mostly consisted of social engineering attacks, more than 60% of which were phishing attacks. This was shown in Verizon’s 2022 Data Breach Investigations Report.

Cybersecurity experts are well aware of the significance of the human factor in data breaches, especially those that involve social engineering threat actions like phishing. It’s the reason why organizations with established information security programs conduct regular employee security awareness trainings and workshops. Employees who can identify a suspicious email have a better chance of thwarting a phishing attack. 

Trained employees can, for example, distinguish a potential phishing email from a legitimate business email through various red flags like:

  • Non-official domains, e.g., or
  • Misspelled domains, e.g.,
  • Misspellings and grammatical errors
  • Suspicious attachments
  • Destination URLs that don’t match the link or anchor text shown in the email
  • Messaging that provokes a sense of urgency
  • Requests for login credentials or other confidential information

Once identified, a phishing email can be simply deleted or reported to IT teams, cybersecurity staff, or whoever is in charge of dealing with these threats. In other words, most phishing attacks are useless against well-trained employees. 

Sometimes, however, phishing emails are so cleverly crafted, they can fool even well-trained employees. To thwart any phishing attack regardless of its level of sophistication, you need to augment employee security awareness training with a security tool that detects even the most sophisticated phish. Here’s what you can do. 

How to Really Stop a Phishing Attack In Its Tracks

All phishing emails have some kind of “call-to-action” that entices the recipient to either download an attachment or go to an external site. Behind each call-to-action is a link that directs the unwitting recipient to a malicious site. Thus, regardless of what the call-to-action is, the initial goal of every phishing operator is to redirect the recipient to a malicious site. 

Intrusion can help you turn the tables against these operators. Armed with a massive, growing database of 8.5 billion IP addresses as well as reputation, behavior, and historical data, Intrusion can determine if an email link leads to a malicious site. Any attempt to connect to a malicious site is then automatically blocked. Emails originating from malicious sites are likewise blocked.

In effect, Intrusion prevents phishing operators from gaining any foothold on your network. More importantly, because phishing attacks are usually precursors to other threat actions, Intrusion can indirectly block a majority of the threats that are out there. Intrusion uses the same principle to counter other cyber attacks, like adware and malvertising

We’ve been threat hunting and analyzing network behavior for over 30 years. Over that period, we’ve recorded more than 3.5 billion IP addresses with low or poor reputations. Businesses shouldn’t be connecting to those IP addresses, and yet many still do. Intrusion can prevent you from making the same mistake. 

Do you have specific questions about Intrusion and how you can use it to defend your users and network? We’d love to talk to you.

Resources that might interest you.

Get the insights cybercriminals don’t want you to know.