Evolving ‘Phishing Expeditions’ Increasingly Popular Cyber Tactic
The tried-and-true “phishing” campaigns of yesteryear are evolving. When these types of cyber-attacks first appeared they aimed at convincing a user that their bank needed them to log-in immediately to deal with an urgent matter, which usually lead to the disclosure of passwords or other account information via a fake website made to look like a legit bank site.
Today, phishing campaigns have turned into a tool for cyber criminals as a way to install malware on a user’s device or corporate network. Phishing today is “a favorite tactic of state-sponsored threat actors and criminal organizations, all with the intent to gain an initial foothold into a network,” according to a new data breach report from Verizon.
The report says that “for two years running” 66 percent of incidents that “comprise the Cyber-Espionage pattern have featured phishing.”
There’s a reason why this stalwart of cyber maleficence has been kept in play for so long: it just works.
The report noted that nearly one in four people presented with a phishing message actually opens the email; another 11 percent of those click on any attachment to the message. However, the report did show a “slight decline” in the numbers of people actually going to a fake website and disclosing information.
Phishing messages are today typically sent as a part of a “campaign,” the report said. For security officials trying to ferret out such campaigns, time is not on your side. According to the report, the median time it took the first target of a phishing campaign to take the bait was one minute.
“Departments such as Communications, Legal, and Customer Service were far more likely to actually open an e-mail than all other departments,” the report said, noting that opening emails is, indeed, a central part of their jobs.
The report noted there’s no guaranteed way to thwart such attacks, but did offer up this point plan:
- Better e-mail filtering before messages arrive in user inboxes
- Developing and executing an engaging and thorough security awareness program
- Improved detection and response capabilities
Of course, with no technological silver bullet to rely on, the bottom line defense is… people.
The report quoted Lance Spitzner, Training Director for the SANS Securing The Human program, on the issue of dealing with people. “One of the most effective ways you can minimize the phishing threat is through effective awareness and training,” Spitzner said. “Not only can you reduce the number of people that fall victim to (potentially) less than 5 percent, you create a network of human sensors that are more effective at detecting phishing attacks than almost any technology.”