Phishing is the most common type of cyber attack because:
- It’s incredibly easy to do – hackers don’t need high-tech skills and tools, and the latter are often sold as ready-made kits on the Internet;
- It targets human beings instead of machines, which are easier to trick;
- It targets a high volume of people to maximise the likelihood of success with the minimum effort.
The Webroot Phishing Threat Trends report identified four eye-opening facts about phishing that all companies should be aware of:
The lifecycle of a phishing site is, on average, under 15 hours.
In order to lower the chance of being detected and blocked, the average duration of phishing attacks has decreased. The lifecycle of phishing sites has now shrunk to an average of 15 hours, spanning from 15 minutes through to 44 hours.
Almost all phishing URLs are hidden within benign domains.
Phishing attacks don’t use new dedicated domain names anymore because they can be easily identified and blacklisted. Almost 100% of phishing attacks now “use domains typically associated with benign activity” to increase the probability of their success. Hackers prefer to compromise a single page of a benign site and replace its content with a phishing page, which is more difficult to detect. Consequently, sifting through static or crowdsourced blacklists of bad domains and URLs is no longer the go-to solution to check for phishing because pages that have been marked as benign can be readily hacked and turned malicious.
An average of over 400,000 phishing sites have been observed each month this year.
To keep up with the phishing sites’ brief lifecycle, hackers are forced to increase the number of phishing sites.
Google, PayPal, Yahoo and Apple are the most impersonated companies.
Impersonating world-renowned tech companies seems to be the trend. Of all phishing sites detected between January and October 2016, Google was the most-impersonated brand (21%), followed by Yahoo (19%), Apple (15%), PayPal and Wells Fargo (both 13%).
To fight phishing attacks, use your brain.
There is no tech defence against phishing attacks that guarantees security because it’s a fallible human who decides to click the malicious link. The more that people are aware of phishing and its risks, the less likely they are to swallow the bait – and avoid putting the whole company at risk.
Staff training reduces the risk of successful phishing attacks. Packed with real-life examples, best practices and tips to spot the scam, the Phishing Staff Awareness E-learning course helps employees become an active part of the company’s cyber security strategy.