The Anti-Phishing Working Group (APWG) is an organization established in 2003 to monitor phishing threats, share data to better protect consumers and businesses, and unify the global response to cybercriminal activity. In a May 2016 phishing activity report, the APWG identified a 250% increase in phishing websites over the previous six months.
Nearly half of the new websites (42.71%) had been set up to target online consumers, but a significant number of phishing threats were directed towards the financial sector (18.67%) and the payment service industry (14.74%). More than half a million emails containing malicious links to these websites and malware-infected attachments were reported to the APWG in the first three months of the year.
Definition of a Phishing Threat
The definition of a phishing threat is any attempt to fraudulently solicit personal information from an individual or organization, or any attempt to deliver malicious software (malware), by posing as a trustworthy organization or entity. Threats are most commonly delivered by email, as in the online banking example given below, but they can also manifest as advertisements on genuine websites that have had security vulnerabilities exploited.
The definition of a phishing threat given above differs slightly from definition provided by the United States Computer Emergency Readiness Team (US-CERT). That organization´s definition of a phishing threat implies that phishing attacks are always the result of social engineering. This is not necessarily the case, as some attacks – such as “watering hole” attacks – have become so sophisticated that social engineering is not always necessary for cybercriminals to extract sensitive data or install malware.
Current Phishing Threats
Phishing Threats to Employers
Regardless of whether an employee is doing their online banking or research for a work project, if they access a fake phishing website from their work computer, and download executable malware, the organization´s entire network could be infected Depending on the nature of the malware, data could compromised, stolen or encrypted into a format that makes it unusable until a ransom is paid.
Phishing Threats to Data
Phishing threats to data apply whether an employee is responding to a phishing email about their bank account or to any account that requires a login and password – not just e-commerce websites, but also personal email and social media accounts. The consequences of a successful phishing attack on an organization may take years to become apparent, which is why phishing threats to data should be taken seriously and measures implemented to manage the threats.
Spear Phishing Threats
Spear phishing threats are often more successful than random phishing threats due to the victim(s) being specifically targeted by the cybercriminal. The attacker finds personal details of their victim (such as appear on social media profiles) and creates a convincing phishing email that appears realistic because of its content. The Symantec Report revealed that spear phishing attacks increased by 55% over the past year – implying that they are successfully being executed.
The delivery of ransomware via email is the most serious of all current phishing threats. Ransomware is the easiest form of malware to monetize and, in the first quarter of 2016, $209 million was reportedly paid to cybercriminals to unlock network systems crippled by a ransomware infection. To put the volume of successful attacks into context, the average ransom demand made during the first quarter of the year was just $679.
Managing Phishing Threats in an Organization
With there being so many different and sophisticated types of phishing attacks, managing phishing threats in an organization is a colossal task. Technology can help manage threats to a degree, but enough phishing emails avoid detection to make the activity of phishing still worthwhile for cybercriminals.
Simulation Makes Perfect
How can you effect lasting changes in user behavior around phishing threats? Rather than rote training, engaging users by simulating real-life phishing threats drives the point home. Just as fighter pilots train in flight simulators, users can learn by experiencing a simulated phishing threat in a controlled environment.
Mixing an occasional simulated phishing threat into users’ regular email teaches them to stay alert and spot suspicious emails. Whether they click on the simulated phish, or spot and report it to incident responders, the experience is much more likely to leave a mark compared to sitting through a lecture about security.
Users experience phishing threats in terms of how they look and act – how a malicious payload infiltrates a system, spreads across the network, disrupts operations, and steals data. Next time, they will be more attuned to a suspicious email, thus immediately reducing risk of phishing threat success.
Knowing is Not Enough – See Something, Say Something
Recognition is the first step in the battle against phishing threats. Conditioning users to identify phishing emails will reduce the chances they will fall for a real phishing threat. However, the chances are, if one employee is receiving phishing emails, others are as well. Organizations must encourage users to report suspicious emails to security or incident response teams.
Users who recognize potential phishing threats provide a valuable source of internal, real-time attack and threat intelligence. When they report suspicious emails, incident responders obtain information that they would not have otherwise or received too late. This internal ‘crowdsourcing’ is especially beneficial with phishing, since it’s the most common attack method. Now, you can leverage the last line of defense – your internal sensors – to quickly see and respond to attacks in progress.
Overloading the SOC
A natural complication of internal reporting is to overwhelm IT Security teams with potentially harmful emails. Being able to quickly “Respond and Research” these reported attacks is critical to lessening the chance of a breach from a phishing email.
Employee-sourced reports on attacks in progress provide the incident response (IR) team and security operations analysts with the information needed to rapidly respond to potential phishing attacks and mitigate the risk from those that may fall prey to them. Being able to sort, assess and respond quickly is critical to stopping a phishing breach.
Ultimately, an end-to-end phishing threat mitigation approach is a critical foundation to any security program’s threat management strategy. Instead of being the target, the workforce becomes cybercrime sensors – sounding the alarm and keeping the organizations safe.
End-to-End Phishing Mitigation from PhishMe
PhishMe is a testament to this working process. PhishMe has conditioned our own workforce to recognize and report phishing attempts – gathering phishing attack intelligence from our entire employee base. By analyzing these emails, PhishMe has avoided compromise as well as discovering and publishing malware samples well before other leading threat intelligence providers. Most notably, PhishMe publicly disclosed the Dyre malware Trojan 10 days before the next leading threat intelligence provider. The sample was included in a phishing email to PhishMe’s VP of Finance.
Even with record investments, the number of breaches attributed to phishing attacks, continues to grow. It’s obvious that technology alone can’t solve the problem. That’s why PhishMe solutions focus on engaging the human–your last line of defense after a phish bypasses other technology–for better prevention and response.
PhishMe’s comprehensive human phishing defense platform focuses on fortifying employees and enabling incident response teams to quickly analyze and respond to targeted phishing attacks.