Can the phishing epidemic be stopped?
- By Eyal Benishti
- Oct 26, 2016
Researchers at Germany's Friedrich-Alexander University (FAU) recently conducted two spear-phishing studies. Before the experiment was underway, a questionnaire was sent to all participants asking them to “rate their own awareness of security.” Of the 1,700 participants, 78 percent claimed they were aware of the risks of clicking on unknown links.
Astonishingly, despite four-fifths of participants identifying themselves as security conscious, 56 percent clicked on unknown links in email messages, and 37 percent clicked on unknown links sent in Facebook messages. In speaking about these results, Zinaida Benenson, FAU’s chair of computer science and leader of the study, told Ars Technica, “the overall results surprised us.”
The results of this study are daunting for both private and public sector organizations, as the most common remedy for phishing attacks to date has centered on human intelligence, or the belief that extensive employee training can transform ordinary workers into hyper-vigilant phishing detectives.
The facts of the phishing epidemic
Phishing attacks have evolved in sophistication and frequency since they first originated in the 1990s. The first recorded mention of the term ‘phishing’ was found in AOHell, a tool released in 1995 to hack Windows America Online (AOL) users by allowing the attacker to pose as a company representative and steal passwords and credit card information. AOHell influenced many future phishing scams and, over the years, phishers transitioned from amateur to professional cyber criminals.
Phishing attacks have evolved from a matter-of-fact nuisance into an epidemic that can cost up to $4 million per event to remediate. Perpetrated by every type of criminal, from nation-state actors and hacktivists to script-kiddies and fraudsters, phishing now accounts for 95 percent of all successful cyberattacks worldwide. In the first quarter of 2016, phishing attacks surged by 250 percent -- the highest since 2004, according to the Anti-Phishing Working Group. In commenting on the surge, the APWG’s co-founder and Secretary General Peter Cassidy said, “The threat space continues to expand despite the best efforts of industry, government and law enforcement.”
More effective than traditional phishing scams are spear-phishing attacks. This type of attack carefully targets employees with emails crafted to appear to be from a colleague. Spear-phishing attacks have played a role in some of the largest cyberattacks to date, including those that hit JPMorgan Chase, Target and Sony. In March 2016, someone posing as Snapchat’s CEO targeted the company’s payroll department requesting employee information and, because the email’s recipient didn’t recognize the scam, 700 employees’ payroll information was exploited. These types of attacks have also exposed millions of W-2 employee data records in large enterprises like Time Warner Cable, healthcare networks and insurance companies.
Why people click
It’s simple: people aren’t perfect. In fact, according to a recent IBM Security Officer Assessment, “95 percent of information security incidents involve human error.”
Overall, there are numerous reasons why both aware and unaware people click on suspicious links. Everyone from a CEO to a janitor can fall victim to a phishing scam by simply not paying attention, multitasking or giving in to curiosity, confusion, fear, gullibility and implausibility. A 24-year-old junior-level employee will find it hard not to click on a link within an email that looks exactly like it’s coming from a superior.
Studies show that this type of context-rich phishing attack containing a deadline and feared consequence (loss of access to an email account, for example) is also positively correlated to the click-rate. According to a 2015 study conducted at the University of Buffalo, “the more urgent the message appears, the more likely people are to fall for it.” Other analysis concludes that phishing attacks targeting social media accounts have a higher success rate.
InfoWorld’s Robert A. Grimes suggests that that professionalization of phishing attacks may also play a role:
“Today’s professional internet criminals work 9-to-5 days, pay taxes, and get weekends and holidays off. The companies they work for often have dozens to hundreds of employees, pay bribes to local law enforcement and politicians, and are often seen as the employer of choice in their region. Working for companies that break into companies in other countries is often proudly worn as a patriotic badge.”
For public sector organizations in particular, phishing attacks cannot be considered the cost of doing business, which is sometimes the position of the private-sector enterprise. A successful attack can potentially lead to a breach of networks or servers that can compromise the integrity, confidentiality and availability of sensitive information or national security.
Employee training is essential; it should remain an important part of an organization’s phishing mitigation strategy, despite being costly, only partially effective, time consuming, and difficult to keep up with the latest phishing methods. However, as we’ve seen with the increase of attacks in 2016, phishing scams will continue to hit inboxes, because no matter how much time, money and resources organizations spend on employee education, a percentage of workers will eventually take the bait.
Therefore, to help mitigate risk from phishing attacks, public-sector organizations should:
- Incentivize employees to continuously pursue cybersecurity education.
- Work with human resources to integrate phishing mitigation into the onboarding process.
- Create organizationwide cybersecurity standards that hold employees accountable for proper IT usage.
- Seek cybersecurity solutions that can automatically remediate attacks with or without human involvement.
- Share intelligence so digital assets can be protected from attacks that are trending.
Phishing attacks aren’t going away anytime soon, and the public sector will continue to be a primary target. Therefore, the responsibility for mitigating attacks, as evident by the FAU study and others, must be placed not just on employees, but also on organizations to share intelligence and technologies that can issue an automatic response. One successful phishing attack is all it takes for catastrophic consequences to occur.