Phishing attacks on the rise

fish hook

It’s no surprise that phishing attacks remain among the most effective. By some estimates, phishing (specifically highly-targeted spear-phishing attacks) are how 91% of digital attacks are initiated.

Even business and security leaders — those who clearly should know better — admit to being fooled. In our post, The high risk of data loss associated with employees, we cited a Code42 survey that found 54% of IT decision-makers and 46% of business decision-makers admitted that they clicked on links they shouldn’t have. Even CSOs and CEOs weren’t immune, with 78% and 65%, respectively, admitting that they also clicked on links that were better left alone.

Recent data from Microsoft shows the average percentage of inbound emails that are phishing attacks doubled over the past year, from 0.31% in September 2018 to 0.62% in September 2019. While that may appear to be a small number, it only takes one successful attack to potentially comprise an endpoint — from there it’s up to other defenses such as anti-malware, anomaly detection, and other less-than-foolproof controls to contain the breach.

In the Microsoft post, Spear phishing campaigns—they’re sharper than you think, the authors detailed a very realistic scenario where an attacker conducts a little upfront reconnaissance, uncovers positions the company is hiring for and ends up sending an internal job recruiter a maliciously-crafted attachment (that appears to be a legitimate resume) in an email.

If you are an executive, VIP, or employee of a company that is a valuable target (or if you work for a company that is a supplier to a valued target), you are at-risk of spear-phishing attacks. In a recent conversation, an executive at a software development company relayed to me how attackers studied his son’s Instagram account to learn what they could about him. After some time, they managed to guess his password to his email account based on his favorite sports team. The attackers then used that information to send an email from his son in an attempt to comprise his endpoint.

Fortunately for him, the attackers were not successful, but a high percentage of motivated attackers employing techniques like this will be successful.

Microsoft provides a good overview regarding how to defend your organization against phishing attacks, from user education, good credential management, open lines of communication between staff and security teams, and deploying defensive security technologies. It’s worth a read.

Comments

  1. One of the reasons I think that phishing is successful is just that it’s embarrassing when someone gets phished. In retrospect it seems so obvious that the email was a phish, and the victim is too embarrassed to admit it.

Speak Your Mind

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.