Posted on Monday, April 30, 2018 in CybersecurityBlog written by Rob Swenson
Despite growing public awareness of cyber threats, phishing remains a highly popular weapon for hackers.
Seventy-six percent of organizations experienced phishing attacks in 2017, according to Wombat Security Technologies’ “State of the Phish” report for 2018.
The attack level in 2017 was similar to the rate organizations experienced in 2016, according to the study. Wombat is a Pennsylvania-based company that offers security and training software to organizations. However, nearly half of the respondents said phishing attacks are increasing.
Phishing, as most people who use a computer probably know, is a form of social engineering that criminals use to trick business employees and consumers out of sensitive and potentially valuable information. Email is the classic means of attack. But cybercriminals also use phone calls and other increasingly sophisticated techniques.
Hackers constantly are refining their phishing tactics to create more effective ways to cheat people. Computer users must remain on guard for fake requests that carry a sense of urgency (“Update your account information now!”) or offer a reward for taking a questionable action (“Get a free pizza for signing up!”). Unfortunately, taking those basic, mental precautions is no enough to be safe. Greater knowledge is needed.
Related blog: Be cautious to avoid getting hooked in a phishing scheme
The good news in Wombat’s “State of the Phish” report was that click rates in fell from 2016 to 2017. There is a cautionary note, however.
“Though click rates have come down on average, the war against phishing is most certainly still on,” the report states.
KnowBe4, another prominent business that offers companies training help related to security awareness, has found that messages related to LinkedIn are the top-clicked subject in phishing training tests. LinkedIn is a popular networking website for business people,
SDN Communications occasionally uses services from KnowBe4, a Florida-based company, to help keep its staff trained to recognize and resist phishing attempts. SDN is a premier regional provider of broadband connectivity and cybersecurity services for businesses.
Company workforces, like cyber threats, change over time. Workers come and go or change duties within the organization. Workers have to be trained on an ongoing basis, and the material must be regularly updated.
“Old-school awareness training does not hack it anymore,” KnowBe4 warns prospective customers who visit its website. Email filters have an average failure rate of 10.5 percent, KnowBe4 says, so companies need a strong “human firewall” to serve as their last line of defense.
Microsoft is among the other technology companies touting the value of end-user security training. Microsoft released its annual Security Intelligence Report in March.
The Microsoft study also reported that phishing remains the most popular way for cybercriminals to attack.
“As software vendors incorporate stronger security measures into their products, it is becoming more expensive for hackers to successfully penetrate software. By contrast, it is easier and less costly to trick a user into clicking a malicious link or opening a phishing email,” Microsoft said.
It’s not surprising that hackers, like people in general, take the easiest path to what they hope will be a big reward.
Phishing can take many forms, though, and some of them are complex. So beware. The most common form, as identified by KnowBe4, is simply spam email. Phishers send the same message to up to millions of users with a request for the recipients to, for example, provide needed information to update an account or to click a link that will take them to a malicious website.
Phishing also comes in other forms:
- Spear phishing is a more targeted approach to general email phishing. Attacks are more personalized.
- Vishing is short for voice phishing. The phisher makes requests information by phone.
- Smishing is phishing via Short Messaging Service, or texting.
Wombat makes the point that awareness and knowledge are not the same thing. Knowing that a threat exists isn’t the same as knowing how to recognize and respond to the threat.
The experts all seem to agree that good, ongoing security training of employees is the key to reducing threats posed by phishers.
Download SDN’s three cybersecurity posters, including one on phishing, to help raise cyber awareness at your business. Use the button below.