Just like the internet, phishing has evolved more and more over the years. Of the more than 537,000 phishing threats that were reported in the 2017 Global Spear Phishing Report, 91 percent (490,557) contained characteristics of display name spoofs.
Display name spoofs are where hackers impersonate a person familiar to a business user in order to fool the person into thinking the message came from a trusted source. It’s a very effective tactic, especially against a workforce that is deluged with incoming communication and traffic all day, every day.
In the study, direct spoofs were the second most popular attack type (8%) and domain lookalikes made up less than 1%of the phishing attacks.
The report from GreatHorn went to find that nearly 1% of all emails to business users have contained a specific characteristic, or characteristics, that were deemed risky.
A figure that some would think was low, but in reality, is not - considering the volume of emails that workers send and receive was taken into consideration.
A 2015-19 report from the Radicati Group Email Statistics shows the average worker received 122 business emails per day in 2015 - and the report showed that this number was expected to grow through 2019.
What it boils down to is the average user faces at least one risky email per day, and it’s pretty safe to assume executives receive a ton more attention.
Unfortunately, as phishing attacks have become more common, companies are now viewing them as just another hazard of doing business. In the beginning there was a sense of confusion and amazement, now that has turned into weariness.
When phishing attacks first happened there was fear and alarm. Now, companies have just accepted it.
But this is a big mistake. Successful phishing attacks are still happening much easier than they should, because of out-of-date assumptions and very taxed security practices. It’s not too late, though, as things can be changed often quickly and simply.
In a recent post by Blueprint IT Security, they talk about how their clients have experienced the same common attacks found in the industry - ranging from credential phishing, business email compromise and booby-trapped attachment malware.
Blueprint goes on to say how ransomware has become the biggest category of malware phishing attacks.
You hear all the time to be “wary” of emails. But, at some point, you need to open emails, attachments or go onto unknown websites for your job.
In their recent post, Blueprint talks about what the best strategy is when it comes to try and fish out phishing. They go into how they always layer and involve a number of overlapping protections that mix the technical with the behavioral.
They go on and make some suggestions, beyond the obvious ones - such as ensuring backup is in place and the systems have been patched. Other ways to protect against phishing are:
Disabling Office Macros - Defense number one is to either disable them altogether or enable only from signed and trusted sources.
Authentication - The simplest implementation of this idea is the two-step verification system that is used by cloud services, but more sophisticated two-factor authentication and single sign-on is also worth considering.
Domain-based Authentication, Reporting & Conformance (DMARC) - It’s a mechanism that makes emails from domains using it difficult to spoof. It also protects a company, and its customers, from attackers who would impersonate their brand.
Encryption - The best protection from phishing is to encrypt data, so its contents can’t be held to ransom.
Anti-phishing Awareness - This should be a basic requirement from SME level and up. Not engaging at this level just leaves companies simply hoping for the best, which is never a good approach.
As you can see, phishing continues to be a major problem in the country, and around the world. And, as we read earlier in When Did Phising Become a Social Problem?, with 1.3 billion users logging onto their favorite social networking sites each month hackers are casting a wider net.
Because of the higher threat of phishing, the idea behind awareness training is to baseline the degree to which employees can be snared by test phishing scenarios, comparing their behavior when running the same tests weeks or months later. The best approach seems to be to start with a longer training session, running short monthly tests every month for a year.