Although phishing attacks and scams have been around for many years and regularly make headlines, they continue to proliferate in late 2017 because users keep falling for them.
Phishing scams can lead to users losing their identities or critical and sensitive company data if users give malicious actors their security credentials. As National Cyber Security Awareness Month continues, business and IT leaders need to rethink their approaches to phishing.
Beyond user training — don’t click on that suspicious link! — companies can turn to new and emerging cybersecurity tools, including ones that use automation. These tools can help mitigate the threat of phishing, which users still need to combat with training, protection and backup strategies.
Malicious online actors use phishing scams — essentially social engineering and psychological tactics — to executive a kind of identity theft. By using fraudulent websites and false emails, perpetrators attempt to steal personal data, most commonly passwords and credit card information. Most often, the email will appear to be coming from a legitimate sender, but will have a link embedded that will launch malware if a user clicks on it.
Phishing Scams Persist in 2017
Phishing attacks are a growing problem, not a shrinking one. According to the Anti-Phishing Working Group, a global consortium of companies formed in 2003 to combat phishing, in the first half of 2017, there was an average of 98,722 unique phishing email reports (campaigns) per month. That is up from 76,417 in the third quarter of 2016 and 70,344 in the fourth quarter of 2016.
Recent phishing scams have targeted users around the world. In late September, cybercriminals sent fake secure messages from banks to get unsuspecting users to click on malware, ZDNet reports. A few days later, reports emerged about hackers using Netflix as a hook to get users to turn over credit card info.
In early October, cybersecurity researchers at Palo Alto Networks’ Unit 42 discovered a phishing scam they dubbed “FreeMilk” that targets users with “carefully crafted decoy content customized for each target recipient.”
Hackers are intercepting legitimate email conversations between individuals and hijacking them to spread malware to corporate networks by using highly-customised phishing messages designed to look as if the victim is still communicating with the person they were originally messaging. The target still believes they're in contact with the person they were originally messaging, but in fact they have fallen victim to a highly targeted cyber attack and may have infected their network via a malicious attachment.
How to Combat Modern Phishing Attacks
Given the continued proliferation of phishing, what can businesses do to fight back? Kevin O’Brien, CEO of GreatHorn, which provides next-generation anti-phishing and email security solutions, argues to CSO Online that training is not enough because fake emails have become so sophisticated that they look like legitimate ones even to users who have undergone social engineering or anti-phishing training.
Email remains the most common way of reaching people in the business world, O’Brien notes, and users who are constantly checking email are unlikely to take a lot of care when opening or responding to messages flooding their inboxes. “When stressed-out, overwhelmed people with emails all over the place try to make complex decisions on a continuous basis, it’s inevitable that mistakes will happen,” he says to CSO Online. “We're only human, after all.”
Automation tools could help combat phishing, O’Brien says, since “the threat surface is growing, and cybercriminals are becoming more sophisticated.” He adds that the volume of the attacks is “dramatically outpacing even the world’s largest security teams’ ability to keep up.”
Organizations need more visibility into their risk profiles and the cybersecurity threats, O’Brien says. “Through the use of automation tools, security leaders can help their teams more efficiently manage the overwhelming number of alerts and potential vulnerabilities they face on a daily basis,” he says. “Programmatically remediating low-level threats enables staff to prioritize investigation of critical threats that require human judgment.”
Other companies are giving organizations more tools to fight phishing. Google, for example, “has updated its Safe Browsing technology to warn users when they visit a new phishing page that hasn't existed long enough to be detected by Safe Browsing as a known phishing site,” ZDNet reports.
And, as Wired adds, users should not forget some cardinal rules of anti-phishing. Users should “always, always think twice before clicking” on suspicious emails and links, consider the source of a message and always back up data in case they do fall for a scam. Users should also use multifactor authentication and tools that enable strong, random passwords.
“If there was a silver bullet, if there was that piece of technology, a plugin, some email filter that could actually stop phishing attacks, we would be out of business,” Aaron Higbee, CTO at the phishing research and defense company PhishMe, tells Wired. “But the core of this problem is human intuition and insight.”