When Dealing With The Phishing Threat, User Education Is Key

Email has become a crucial part of how organizations perform their day to day business. The average employee receives dozens of emails every day, and efficiently performing their job duties requires the ability to quickly process the information in an email and take the appropriate action.

Cybercriminals take advantage of the need to rapidly deal with email in phishing campaigns. In many cases, it is easier to slip a fake email past a distracted human than it is to fool a sophisticated cybersecurity monitoring system. The success of phishing campaigns has led to them being the preferred method for delivering malware to a target computer and can produce massive payoffs to the cybercriminal in targeted spear phishing and business email compromise (BEC) scams.

The threat of phishing makes learning how to prevent phishing an important concern for any organization. Understanding the scope of the phishing threat and some of the tactics used to defeat traditional cyber awareness training methods are important components of this. However, in the end, an organization needs to accept that some phishing emails will always be successful and to take action to protect the organization in the event of breached employees’ credentials or a successful infection of an employee computer by malware.

The Phishing Problem

Phishing attacks are some of the most difficult threats for an organization to protect itself against. Vulnerabilities in software or hardware can be fixed with a patch for the vulnerable code or replacing the malfunctioning component. Protecting against phishing attacks requires training humans to properly identify a phishing email and to take the appropriate action in response.

The difficulty in protecting against phishing threats make them a favorite tactic for hackers trying to gain access to an organization’s network. In fact, 91% of successful cyberattacks begin with a phishing email campaign. It is much easier to trick a user into clicking on a link or opening a malicious attachment than it is to develop exploits capable of breaching an organization’s firewall and other protections.

The growing threat and effectiveness of phishing attacks is demonstrated by the breakdown of benign vs. malicious URLs that an employee will see. 1.9% of URLs are part of a phishing campaign, which is concerning since an employee clicks on about 25 URLs in the course of a business day. If employees do not know how to properly identify and respond to phishing threats, each employee can be expected to cause at least two cybersecurity incidents in the course of a standard business week.

The New Phishing Threat Landscape

The threat of phishing attacks is not limited to the quantity of attempts by cybercriminals. While early phishing attacks were easy to spot, many employees have received cybersecurity awareness training designed to help them identify email-based threats. However, cybercriminals’ tactics have adapted to be effective against more knowledgeable and suspicious targets.

Early anti-phishing training focused on the use of HTTPS, and this training has stuck. Users are now conditioned to trust a webpage if and only if they see a lock icon in the address bar. However, 29% of phishing websites now use HTTPS. As a result, the lock icon on a phishing webpage often lulls the target into a false sense of security and increases the probability that they will fall for the scam.

A more effective technique for protecting against phishing attacks is training users to look for a trusted domain in the address bar before entering any sensitive information. Historically, phishers have had to rely on lookalike domains and similar techniques. However, many phishing URLs are now hosted on trusted domains that are either compromised or offer cloud computing. As a result, checking for a trusted domain and trusting the page as a result is now getting almost a quarter of phishing victims into trouble.

Phishers have also moved away from relying on subtlety to achieve their goals. Large amounts of personal data have been revealed in data breaches, and cybercriminals are leveraging this data in spear phishing campaigns. Extortion emails that use publicly available information to convince the victim that they have already been breached have become an extremely effective tactic for cybercriminals, driving victims into taking action out of fear.

These techniques are only some of the many innovations that cybercriminals have made in the phishing attack. As phishing emails become more subtle and sophisticated, their targets will increasingly fall victim to them. Unless an organization deploys the appropriate cybersecurity solutions, every successful phishing email could result in an incident or a data breach.

Protecting Against Phishing

Although some phishing attacks have been designed to defeat traditional cyber awareness training methods, any phishing email can be detected given enough time, effort, and knowledge. Equipping employees with the information necessary to detect and respond properly to phishing threats significantly decreases the exposure of the organization.

However, some phishing emails are bound to make it past the human firewall, and user credentials will be leaked to attackers. Protecting the organization against attack requires accepting this and taking the appropriate action. Deploying solutions like two-factor authentication on internal and external web applications and implementing user behavioral analytics to detect anomalies that could point to a compromised attack can mean the difference between a successful cybercrime campaign and the need to change a single user password after a phishing email.