What You Don't Know Can Most Certainly Hurt You: The Importance of Phishing Assessments
Every thirty seconds, a phishing attack occurs somewhere in the world. That comes down to 120 attacks per hour. Industry research doesn’t just show that phishing is incredibly common, but also highlights how costly it is, with losses from a single attack averaging $8,850. This means that every hour, $1,062,000(!) is lost to phishing. Even though this makes phishing a massive threat to companies, a recent report shows that over one third (35%) of employees don’t even know what it is.
So what exactly is phishing?
Phishing is a social engineering attack that involves manipulation as well as technological deception (spoofing). The aim of the attacker is to obtain sensitive information from a victim by pretending to be a company or person that the victim trusts. While phishing also happens over the phone, it usually starts with a message sent to the victim by email, SMS or a messaging app. The message, which is made to look like it was sent by a colleague, a famous company, or another trusted entity, typically urges the victim to click on a link in order to solve an issue or claim a reward. The link leads to a legitimate-looking website where the victim is told to enter certain sensitive information, like login credentials or payment card details. If the victim complies, the information they provide is harvested by the attacker, who can use it to commit crimes like cybertheft and identity fraud. The information may also end up for sale on underground marketplaces. In addition to malicious links, phishing messages can contain harmful attachments that enable hackers to access the victim’s computer. Because phishing attacks often represent the first stage of a larger hacking campaign, a successful attack can have far-reaching consequences for organizations, as the following scenario demonstrates.
Phishing scenario: from account verification to data breach
Thursday, 11am. John Doe, an account manager at Dehsihp Inc. is just getting off the phone with a troublemaking contractor. “Crisis averted,” he sighs as he logs into his email account to check if he missed any urgent business during his hour-long call. Fortunately, there seem to be no important messages, except...
“What’s this, did I get hacked?” John whispers to himself when he notices an email from the Microsoft Team with the subject ‘Urgent Action Required.’ He opens the message. It says that Microsoft detected suspicious sign-in activity for his account and that he needs to verify the account urgently. Thinking that some hacker must have been trying to break into his business email, John quickly clicks on the provided link and enters his login credentials on the website that opens up. He doesn’t doubt the authenticity of the page because it has the official Microsoft logo and matching design, the URL contains the word ‘Microsoft’, and a padlock in front of the address bar shows the connection is secure.
Six months later, Dehsihp Inc. discovers that millions of records containing sensitive customer data were compromised in a massive data breach that was the result of a sophisticated cyberattack. The campaign started with a phishing campaign targeting multiple employees, including an account manager named John Doe.
Phishing on the rise, awareness training falls short
Given the fact that a single phishing attack can spell disaster for a company, it is very worrisome that most employees are exposed to phishing attacks on a daily basis. A report by Avanan indicates that 1 out of ever 99 emails received by employees is a phishing scam, which means the average staff member is targeted by almost five phishing scams every work week. And yet companies rarely provide adequate security awareness training to prevent employees from falling for phishing attacks.
According to a Mimecast survey, only 45% of organizations have a cybersecurity training program that is mandatory for all staff, while another 10% of firms provide optional training. These numbers are far from impressive, but things get even worse when the frequency and quality of training sessions are taken into account. A mere 6% of businesses offer monthly trainings and 4% have a quarterly program, which means that 90% of firms that have a security awareness program offer less than 4 training sessions a year. 9% of companies only provide individual training when someone joins the organization. Moreover, in 33% of cases, the “training” involves nothing more than the distribution of a list of tips and reminders. Other common approaches are proactively informing staff members about safe and unsafe links (30%) and showing best practices videos (28%).
This depressing state of affairs explains why a recent study found that 83% of organizations experienced phishing attacks last year, up from 76% the year before. Targeted phishing scams, known as spear phishing, are especially dangerous because they can be very hard to spot, even by experienced users. These attacks impacted 64% of firms. While not every attack is equally devastating, the stakes are high and the rise of phishing is fueling a surge of compromised accounts. Last year, phishing attacks led to account compromise in 65% of companies, a 70% increase over 2017. About half (49%) of organizations had their systems infected with malware and nearly one-fourth (24%) experienced data loss due to phishing.
What can you do to protect your organization?
Uninformed staff represent a major security liability, but a proper anti-phishing strategy can establish employees as the first line of defense. This requires far more than hanging a list of standard tips in the break room or providing passive training.
As a first step, organizations need to make sure that the information they provide is up-to-date. Because phishing attacks are getting increasingly sophisticated, common tips for spotting phishing attacks are becoming irrelevant. For instance, people are often told to check if a website users HTTPS instead of HTTP and if there is a “secure” padlock in front of the address bar. While it is prudent to avoid websites that lack HTTPS or a padlock, users should know that cybercriminals are increasingly adding these “security features” to their malicious sites, as the FBI warned earlier this year.
Training sessions should be interactive and must be supplemented with phishing tests that simulate attacks to check if employees are actually applying what they have learned about spotting suspicious emails. It is crucial that the results of phishing tests are carefully analyzed and used to maximize the effectiveness of the security awareness program.
This is why Vonahi’s proprietary phishing platform vPhish not only allows organizations to carry out phishing simulations, but also provides detailed information showing what employees interacted with phishing messages, when, and in what way. In addition, vPhish shows statistics on the impact of tests and identifies users that keep falling for simulated scams. This enables companies to optimize their training content and prioritize users or departments that represent the biggest risk, so that the John Doe’s within their ranks become known as John Doesn’t-Click-on-Phishing-Links.
About Vonahi Security
Vonahi Security is a cybersecurity consulting firm that offers modern consulting services to help organizations achieve both compliance and security best practices. With over 30 years of combined industry experience in both offensive and defensive security operations, our team of certified consultants have experience working with a significant number of organizations, industries, networks, and technologies. Our service expertise includes Managed Security, Adversary Simulations, Strategy & Review, and User Education & Awareness. Vonahi Security is headquartered in Atlanta, GA. To learn more, visit www.vonahi.io
Stay Informed