In my personal use of 0365, I get somewhere between 50-200 personal emails a day. On average, I still have 1 to 3 phishing emails getting to me each day. Not only are they still arriving, but their sophistication and targeting are up. I still get phishing attempts from banks and other companies I don’t do business with, but it seems the phishing attempts that seem to have advanced knowledge of the companies and services I do do business with seem to be increasing. I’ve just assumed they are getting clues from my social media postings and other information leaks.
.. For example, people buying houses now have to be aware of compromised mortgage agents who’s email has been taken over by a phisher, who then sends a bogus request for the closing payment to the buyer to wire the money to another bank. The house buyers were expecting the wire transfer request, and it appears from the email account of the person they were told to expect the wire transfer request from. It appears legitimate in every way, including the amount of the money they were told to expect to have to bring to closing, with the only changed details being the bank they are wiring the money to. If the unsuspecting home buyer wires the money to the wrong bank, they are often permanently out of the money (if not the house they were wanting to buy unless they can and want to pay the closing costs again).
.. Like mortgage closing payment fraud, all spear phishing is increasing in sophistication. It is coming from people and businesses you trust. Regardless of what any vendor tells you, their anti-phishing miss rate will never be zero. I’ve been in the computer security business for over three decades. And each year, I hear from some vendor how they finally have phishing beat. And each year, it seems to get worse. Despite every vendor’s best effort, it seems more phishes are hitting my inbox than ever before
.. Even if a vendor solved the email phishing problem at work, it doesn’t stop email phishes from getting to your employees. Most employees have personal email accounts, and if that service has a non-zero phishing rate, then you and your company still need to educate those employees with security awareness training. Just because you solve the problem at work doesn’t mean the problem is gone.