Phishing is one of the oldest forms of digital fraud, and it shows no signs of going away anytime soon.In an environment where 97% of people cannot accurately recognize a phishing email, and approximately 30% of phishing emails are opened by their recipients, the creators of these attacks have every incentive to continue their activities.
In 2016, 13,000 new phishing websites were created, with over 400,000 visits every month. Even more alarmingly, since 2016, the number of phishing websites has increased by 250%. The low operational cost of launching a phishing attack, combined with the fact that very little technical knowledge is required to do so, makes it a very appealing strategy for criminals.
As phishing attacks become more common, they are also becoming more targeted and sophisticated – this causes it to be even more difficult for people to tell whether an email, social media page, or even website is legitimate or the creation of cyber criminals. These attacks will only continue to advance, meaning that organizations need to make more of an effort to protect their brand and their customers.
Anyone Can Fall Victim to a Phishing Attack
In May 2017, a sophisticated phishing attack hit Google. Gmail users were sent emails from seemingly legitimate contacts, prompting them to open a shared Google Doc. After clicking on the link in the message, users were shown a pop-up tab asking them to grant permissions to what appeared to be the Google Doc application. The app was actually a fake, and was used to collect users’ contact information and send more messages to further spread the attack.
The attack on Gmail cast a wide net, and aimed at anyone with a Gmail account.
Spear phishing is a form of phishing that takes a different approach–the attackers carefully select their targets and use social engineering to tailor the attacks to each individual victim. Business Email Compromise (BEC), meanwhile, is a form of spear phishing in which attackers pretend to be executives or financial officers within an organization in order to gain access to money or sensitive information. Between January 2015 and December 2016, BEC increased by 1300% with $5.3 billion in exposed losses between October 2013 and June 2016.
Spear phishing attacks are successful because they often involve research and planning by the attackers. Emails are crafted to appear completely legitimate; attackers may even research email conversations within an organization in order to make the wording of an email sound as authentic as possible. These attacks may take the form of an attacker pretending to be a financial officer asking an employee in the finance department to make a transfer to the criminal’s account. Or, the attacker may pose as a member of the IT department, taking advantage of the user’s trust and convincing them to give up their credentials.
With these increasingly sophisticated and diverse attacks, educating your users is no longer enough to protect your organization from the next major phishing attack. While many companies are deploying some anti-phishing security measures, attacks are advancing at such a rapid rate that basic anti-phishing security measures can’t keep up.
The Benefits of a Strong Anti-Phishing Strategy
With a strong, multi-layer security plan, you can greatly reduce your organization’s risk of becoming the victim of an attack and facing the massive consequences that can come along with that. While educating end-users on how to spot spoofed emails and fake websites is useful, it can only work as part of a greater, more proactive anti-fraud strategy.
Here are some tips to protect your organization and end-users from phishing:
- Strengthen your detection capabilities, such as through machine-learning technology, to ensure that attacks are efficiently detected.
- Implement email authentication protocol such as DMARC to reduce the risk of spoofed messages reaching inboxes.
- Take advantage of multi-factor and user authentication to reduce the risk of account breaches.
- Partner with a vendor that can provide 24/7/365 monitoring for and takedown of fraudulent or malicious usage of your brand’s name.
Following these tips will help protect your organization so that when the next phishing attack occurs, you can stop it before it is even launched.
To learn more about different types of phishing attacks and how to protect your organization, click here.