Phishing is one of the more productive ventures being pursued by cybercriminals.
The graph in Figure A from the APWG 2016 Phishing Trends Report (PDF) points to nearly a 250% increase in phishing sites and associated email traffic during first quarter 2016. Some other disturbing facts from the report:
- The retail/service sector took top honors of being the most targeted industry (42%).
- The number of brands targeted by phishers remained constant—ranging from 406 to 431 brands each month.
- The US continues to be number one on the list of nations hosting phishing websites.
Image: APWG and Duo Security
To the fortunate few unfamiliar with phishing, the website Phishing.org describes the digital form of scamming as:
“A process where a targeted individual is contacted via email by someone posing as a legitimate institution to lure the individual into providing sensitive data such as banking information, credit-card details, and passwords. The personal information is then used to access the individual’s account and can result in identity theft and financial loss.”
What’s the problem?
Phishing has been a lucrative effort for cybercriminals since 1996, according to Phishing.org. One might think there would be a solution by now. Security companies have developed semi-capable technological deterrents; however, the real issue is something called identity deception, which is when a motivated phishing attacker:
“Knowingly obtains, possesses, transfers, or uses identifying information of another person without the other person’s consent: and with intent to harm or defraud another person; assume another person’s identity; or profess to be another person; commits identity deception.”
As to why identity deception is such a complex problem, we humans are to blame. “Human error—paired with corporate cultures that sometimes fail to prioritize cyber security education—are often the culprits when businesses fall victim to phishing attacks,” explains Shahryar Shaghaghi leader of BDO’s technology advisory practice to CIODive’s Justine Brown. “All employees should understand what a phishing email looks like and how to avoid becoming a victim.”
Shaghaghi continues, “Having said that, users must be given the tools and the culture to ask questions about a potential phish or suspect email. Just as you would validate a person who rang your doorbell at home or called you on the phone to ask for your credit-card information, that same rigor should be applied when it comes to business communications.”
SEE: Create a security culture framework to protect against threats (Tech Pro Research)
How to be sure?
There is an old adage, “You can lead a horse to water, but you cannot make it drink.” That is spot-on applicable when it comes to phishing. Employees can get all the training in the world, but is the training effective and do the employees truly understand what they are up against?
To determine whether employee training is working or not, the people at Duo Security recently launched Duo Insight. A free phishing assessment tool that businesses and organizations can use to find phishing-vulnerable employees and devices. This press release about Duo Insight mentions:
“The goal of Duo Insight is to offer organizations of all sizes a free internal phishing drill system that allows them to simulate a phishing attack on their employees in five minutes. With the results of those simulations, administrators can identify potential security weaknesses and make the case for investing in stronger security solutions or better employee education.”
Since its July 2016 launch, nearly 400 companies have incorporated Duo Insight into their security framework. Of the 400 companies, 31% determined their organizations were at risk from phishing and any ensuing attack campaigns. Analysts at Duo Security also uncovered that 17% of tested employees entered their username and password.
“Those users who clicked the link open their organizations to hackers through unsecured internet browsers, plugins (Flash and Java), and out-of-date operating systems on their devices,” mentions the press release. “In addition, the hackers running the phishing campaign could exploit additional vulnerabilities and get complete control of the compromised device, and possibly the victim company’s network.”
Duo Insight report
Duo Insight outputs a report similar to the one in Figure B, allowing companies to discover security weaknesses and eliminate them.
Image: APWG and Duo Security
The report should also be useful when trying to convince C-Level management that finances for improvements and increased security training are required.