Why Phishing Is Still Your Number One Security Foe

April 3, 2018

91% of cyberattacks start with a phishing email. Why are they still so prevalent – and successful? It seems like every day another high-ranking employee falls for a scam and loses millions in company money.

How long have security experts been fighting phishing attacks? How much damage can they cause? And how can you make sure that your organization doesn’t fall prey? Read on to discover how phishing has affected businesses – both small and large, and what innovative approaches organizations are taking to mitigate the risk of a successful scam.

Where it all started

While phishing can be traced back as far as the 90’s, one of the first documented attacks took place in 2003. Nancy Boyle woke up one morning only to discover that $1,800 had been stolen from her bank account, as well as an $800 credit card charge for escort services that she never ordered. As it turns out, the couple, who owned a window treatment business, were the victims of a phishing attack.

It started when Mrs. Boyle received an email that appeared to be from Bank One, warning her that she had to update her information or else her bank account would be suspended. She clicked the link in the email and entered her information on what appeared to be a legitimate website. After that, the couple’s money disappeared.

Shortly after the email from the bank, Mrs. Boyle received a message that appeared to come from eBay. It also urged her to verify her details, due to potential fraudulent activity on her account. She entered her bank account number, Social Security number and her mother’s maiden name.

After the couple discovered the missing money, the police investigated the scam, but the trail went cold after investigators traced the attacker to somewhere in Egypt. While the Boyles were left wiser to the dangers of the Internet, they did not recover their money.

According to the Anti-Phishing Working Group, in the first half of 2004, the number of unique phishing attacks increased by more than 800% — going from 176 in January to 1,422 in June. In a 2003 report, the FTC said the average loss per identity theft incident was around $500.

How far it can go

It’s not just your average Joe falling for phishing scams. Top executives in companies are targeted every day. You’d probably think that no C-level executive worth their salt would fall for such a scam – after all, sharp critical skills should be a basic requirement of any high-level job.

Obviously, not all CEOs are created equal, but one definitely takes the cake in terms of gullibility. In 2016, FACC, a plane part manufacturer, fired Walter Stephan, its CEO of 17 years, after he fell for a phishing attack and lost $56.97 million of the company’s money. According to Reuters, a hacker impersonating Stephan sent another employee an email requesting a money transfer for a fake acquisition project.

Why it’s still successful

Clearly, anyone can fall for a phishing attack. But what makes it so successful?

Phishing relies more on social engineering than an advanced knowledge of programming. That means that it takes advantage of human feelings of curiosity, fear, or reward/recognition. Most phishing emails are disguised as requests for data updates from services the victims are subscribed to, or offers, prizes and so on. They usually aim to create a sense of urgency, so the victim doesn’t have time to take a close look at what’s going on. The fake login pages users are typically taken to are made to appear legitimate, unless subjected to rather serious scrutiny – something people that think they’ve been hacked do not have time for. The good news is that there’s always a giveaway, whether it’s the email sender, the login page URL, or language anomalies (differences in tone from official emails, grammar mistakes, strange formatting like excessive caps etc.).

One big caveat for account security – and a boon for cybercriminals – is the wide availability of personal information on social media. Many people share everything online to the point of irresponsibility: home addresses, financial services they’re subscribed to, and so on. A hacker might even be able to target a victim based on whether they participate in giveaways by sharing posts, for example; these people would be more susceptible to an email telling them that they’ve won a prize.

What you can do about it

Realistically, chances are phishing will always be a risk for your company. Humans are emotional creatures, and adding potential tiredness or stress to that mix can certainly lead to people clicking on the wrong link.

Aside from trainings on how to spot phishing, there’s another, more practical approach you can take. Lily Hay Newman from Wired gave Cofense (formerly PhishMe) CEO Aaron Higbee permission to try to trick her into clicking on a malicious link or downloading an infected attachment. It’s a good way to induce hyper-vigilance and learn to spot a phishing attempt. You can check out the original article to see how her experiment panned out, but what’s of interest for enterprises is the company’s Cofense PhishMe Certification for phishing simulation programs. This program empowers your employees to be your last line of defense by preparing them to recognize and resist malicious phishing attempts. Instead of showing your employees examples of phishing emails and hoping that they’re paying attention, you can simulate real-life phishing attacks so they can learn by doing.

In the end, our human nature is what makes us vulnerable to phishing. That means that phishing and other similar attacks will continue to evolve and haunt businesses in the years to come. Your best bet? Educate your workforce by any means possible on how to recognize such scams and make your greatest liability a part of your defense.