The Anti-Phishing Working Group (APWG) is an organization established in 2003 to monitor phishing threats, share data to better protect consumers and businesses, and unify the global response to cybercriminal activity. In the organization´s most recent Phishing Activity Report (July 2018), the APWG identified a 46% increase in phishing websites over the previous quarter.
During the three months phishing activity on which the report was based, the organization detected 263,538 new phishing websites – half of which had .com suffixes, and a third of which had SSL certificates to give the impression they were secure sites. Phishing threats to data were highest in the payments processing industry, with other highly-targeted industries including:
- Payments Processing 39.4%
- SaaS / Webmail 18.7%
- Financial Institutions 14.2%
- Cloud Storage / File Hosting 11.3%
- Other 16.4%
Definition of a Phishing Threat
The definition of a phishing threat is any attempt to fraudulently solicit personal information from an individual or organization, or any attempt to deliver malicious software (malware), by posing as a trustworthy organization or entity. Threats are most commonly delivered by email, as in the online banking example given below, but they can also manifest as advertisements on genuine websites that have had security vulnerabilities exploited.
The definition of a phishing threat given above differs slightly from the definition provided by the United States Computer Emergency Readiness Team (US-CERT). That organization´s definition of a phishing threat implies that phishing attacks are always the result of social engineering. This is not necessarily the case, as some attacks – such as “watering hole” attacks – have become so sophisticated that social engineering is not always necessary for cybercriminals to extract sensitive data or install malware.
Current Phishing Threats
Phishing Threats to Employers
Regardless of whether an employee is doing their online banking or research for a work project, if they access a fake phishing website from their work computer, and download executable malware, the organization´s entire network could be infected Depending on the nature of the malware, data could compromised, stolen or encrypted into a format that makes it unusable until a ransom is paid.
Phishing Threats to Data
Phishing threats to data apply whether an employee is responding to a phishing email about their bank account or to any account that requires a login and password – not just e-commerce websites, but also personal email and social media accounts. The consequences of a successful phishing attack on an organization may take years to become apparent, which is why phishing threats to data should be taken seriously and measures implemented to manage the threats.
Spear Phishing Threats
Spear phishing threats are often more successful than random phishing threats due to the victim(s) being specifically targeted by the cybercriminal. The attacker finds personal details of their victim (such as appear on social media profiles) and creates a convincing phishing email that appears realistic because of its content. The massive data breaches at Target, Anthem and Sony Pictures have all been attributed to successful spear phishing attacks.
The delivery of ransomware via email is one of the most serious of all current phishing threats. Ransomware is the easiest form of malware to monetize and there has been a noticeable increase in ransomware attacks on mobile devices (up 1,300% in 2017) and on cloud-based applications which get shared with internal and external users (44% of cloud malware types make up the most common delivery vehicles for ransomware).
Managing Phishing Threats in an Organization
With there being so many different and sophisticated types of phishing attacks, managing phishing threats in an organization is a colossal task. Technology can help manage threats to a degree, but enough phishing emails avoid detection to make the activity of phishing still worthwhile for cybercriminals.
Simulation Makes Perfect
How can you affect lasting changes in user behavior around phishing threats? Rather than rote training, engaging users by simulating real-life phishing threats drives the point home. Just as fighter pilots train in flight simulators, users can learn by experiencing a simulated phishing threat in a controlled environment.
Mixing an occasional simulated phishing threat into users’ regular email teaches them to stay alert and spot suspicious emails. Whether they click on the simulated phish, or spot and report it to incident responders, the experience is much more likely to leave a mark compared to sitting through a lecture about security.
Users experience phishing threats in terms of how they look and act – how a malicious payload infiltrates a system, spreads across the network, disrupts operations, and steals data. Next time, they will be more attuned to a suspicious email, thus immediately reducing risk of phishing threat success.
Knowing is Not Enough – See Something, Say Something
Recognition is the first step in the battle against phishing threats. Conditioning users to identify phishing emails will reduce the chances they will fall for a real phishing threat. However, the chances are, if one employee is receiving phishing emails, others are as well. Organizations must encourage users to report suspicious emails to security or incident response teams.
Users who recognize potential phishing threats provide a valuable source of internal, real-time attack and threat intelligence. When they report suspicious emails, incident responders obtain information that they would not have otherwise received, or received too late. This internal ‘crowdsourcing’ is especially beneficial with phishing, as it’s the most common attack method.
Overloading the Security Operations Center
A natural complication of internal reporting is to overwhelm security teams with potentially harmful emails and false positives. Being able to quickly identify which reports are more reliable than others is critical to lessening the chance of a breach from a phishing email and a factor when implementing a solution to mitigate phishing threats.
Employee-sourced reports on attacks in progress provide incident response teams and security operations analysts with the information needed to rapidly respond to potential phishing attacks and mitigate the risk from those that may fall prey to them. Being able to sort, assess and respond quickly is critical to stopping a phishing breach and mitigating business disruption.
Ultimately, an end-to-end phishing threat mitigation approach is a critical foundation to any security program’s threat management strategy. Instead of just being the target, the workforce becomes cybercrime sensors – sounding the alarm and keeping the organization safe by providing the information SOCs need for managing phishing threats quickly and effectively.
End-to-End Phishing Mitigation from Cofense
Cofense is a testament to this working process. Cofense has conditioned our own workforce to recognize and report phishing attempts – gathering phishing attack intelligence from our entire employee base. By analyzing these emails, Cofense has avoided compromise as well as discovering and publishing malware samples well before other leading threat intelligence providers.
Even with record investment in cybersecurity, the number of breaches attributed to phishing attacks continues to grow. It’s obvious that technology alone can’t solve the problem. That’s why Cofense solutions focus on engaging the human – your last line of defense after a phish bypasses other technology – for better prevention and response.