You probably know what phishing is. It’s been around almost as long as the Internet, and everyone from your employer to Facebook provides warnings about how to identify and report such scams.
But are you aware of how extensive phishing is? The cyber security company Webroot has identified four facts about how phishing works that might make you see the threat in a new light.
1. Phishing sites have a lifecycle of about 15 hours.
In order to reduce the chances of being detected and blocked, scammers are constantly creating new phishing sites and deactivating old ones.
On average, phishing sites are live for only 15 hours. By the time someone’s raised the alarm about a malicious site and the organisation has updated its security measures and warned employees not to click the link, the fraudster is already well on their way to their next scam.
2. Most malicious links are hidden within benign domains.
Scammers rarely use dedicated domain names for phishing attacks these days, because they can be easily identified and blacklisted.
Instead, malicious emails will almost always contain domains “associated with benign activity” to increase the probability of their success. Criminal hackers prefer to compromise a single page of a benign site and replace its content with a phishing page, which is more difficult to detect.
3. About 400,000 phishing sites are created each month
To keep up with the phishing sites’ brief lifecycle, scammers are forced to create hundreds of thousands of phishing sites each month.
The websites might be used for a single phishing campaign or used for a variety of attacks. Either way, it’s easy to see why it’s so difficult for spam filters keep track of malicious sites. There are simply so many that a few will inevitably fall through the system and end up in users’ inboxes.
4. Google, PayPal and Apple are the most commonly spoofed organisations
Scammers have always targeted well-respected organisations, but things are so much easier for them now that there are dozens of organisations that collect the majority of people’s personal data.
Google is the most frequently spoofed organisation, but PayPal, Amazon and Facebook are also hugely popular subjects for phishing scams.
Want to know how to prevent phishing attacks?
If you want to avoid falling for phishing scams, you have to trust your own judgement. Technological solutions like spam filters can’t catch everything, and they won’t help in the event of specific forms of phishing, like BEC (business email compromise) scams.
Fortunately, no matter how severe the threat is, there are always clues that can help you identify phishing scams.
You can teach your employees how to become experts at spotting those clues with the help of our Phishing Staff Awareness Course. Packed with real-life examples and best practices for staying safe, this online course helps employees become an active part of your organisation’s cyber security strategy.
A version of this blog was originally published on 14 December 2016.