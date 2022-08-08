The Anti-Phishing Working Group, an international coalition of counter-cybercrime responders, just wrapped up a global study on phishing attack trends reported by organizations in Q1 this year. The report yet again highlights that phishing is still one of the most common cyber-attack vectors used by cybercriminals. Below is a high-level summary of APWG findings:

advertisement

advertisement

• The number of quarterly phishing attacks rose to a record high of more than a million reported attacks in Q1 2022. • The financial sector was the most targeted industry and accounts for 23.6% of all phishing. Phishing against social media sites rose from 8.5% in Q4 2021 to 12.5% in Q1 2022. • While ransomware attacks appear to have decreased, attacks against financial institutions have risen almost 75% in comparison to last year. Researchers also noted a “sweet spot” in ransomware targets: companies large enough to pay the ransom but not large enough to have a mature cybersecurity posture.

advertisement

advertisement

• Business Email Compromise (a.k.a. CEO fraud), where a scammer impersonates a high-ranking executive or a trusted source to transfer funds to unauthorized accounts, rose 69% from an average of $50,027 in Q4 2021 to $84,512 in Q1 2022. • Nearly 59% of all phishing attacks on enterprise users were aimed at stealing credentials, increasing by nearly 7% from the previous quarter. WHY ARE PHISHING ATTACKS SO PREVALENT?

advertisement

According to Osterman Research, phishing attacks are popular for a number of reasons that can be classified into two main categories: people and process. From a people standpoint, there are three main issues. First, phishing works on human psychology and it only takes a momentary lapse in judgment (one wrong click, one wrong download, or one visit to a malicious website) to become a victim. Second, since many employees are working remotely, they can more readily be distracted and unknowingly fall victim to an attack. Third, people can be overwhelmed by too much information: Emails, push notifications, instant messages, and alerts from applications are a few examples of interruptions that can distract people and make them vulnerable to phishing. From a process standpoint, there are three major reasons. First, the absence of tools, processes, and organizational preparedness to combat phishing. Phishing messages can evade traditional defenses because they use legitimate channels (like email or social media) to leverage users to bypass technical controls. Second, for businesses operating a remote workforce, it is impossible to run in-person checks. Third, in absence of regular security awareness training, users can forget or neglect the importance of their own security responsibility toward the business. It’s also possible that they are completely unaware of the latest tools, tactics, and procedures that attackers are using to phish users. One other major reason why phishing is so popular is the fact that phishing attacks do not require deep technical expertise to launch and they can scale easily. Attackers can target thousands of people in one go. Phishing kits can be purchased cheaply from the dark web, and these kits empower individuals who have limited expertise with the use of ready-made templates and infrastructure that can generate phishing emails, fake login pages, and phony websites.

advertisement

WHAT CAN BUSINESSES DO TO PREVENT PHISHING ATTACKS? It’s not hard to imagine how phishing will continue to dominate for years to come. The main reason is that it’s impossible to program or predict human behavior. An effective phishing defense strategy consists of three main elements: 1. Technical controls: Technical defenses are a critical element in combating phishing attacks. Phishing-resistant multi-factor authentication can greatly help reduce credential phishing attacks. Web content filters can prevent users from browsing malicious websites. Email reputation services can provide risk scores. Blacklisting services can block emails from unknown sources.

advertisement

Phishing standards like Sender Policy Framework, Domain Keys Identified Mail, and Domain-based Message Authentication, Reporting, and Conformance can protect your domain against spoofing. Endpoint detection and response tools, next-gen firewalls, and intrusion protection systems can help detect malware, man-in-the-middle attacks, distributed denial of service attacks, and buffer overflow attacks. 2. Security awareness training: While users play a major role in the phishing problem, they can also be part of the solution. Phishing scams can be eliminated if human-centric risks are reduced. If employees are taught to recognize and report unusual, suspicious, or bogus emails, websites, and online activity, organizations can significantly reduce the risk of phishing attacks. 3. Policies and procedures: Organizations must set clear guidelines and procedures. This includes an Acceptable Use Policy that must be reviewed and signed by each employee; an anti-phishing policy that covers examples of social engineering scams; guidance and best practices on how to avoid phishing attempts; and actions that employees must take when anomalies are found. Finally, a disaster recovery plan can help curtail damage and accelerate business recovery in the event of a phishing or ransomware attack.

advertisement

A multi-layered security approach with technical defenses combined with some cyber common sense can go a long way in protecting your organization from phishing scams and schemes. Stu Sjouwerman is the Founder and CEO of KnowBe4 Inc., the world’s largest Security Awareness Training and Simulated Phishing platform.