Phishing scams are among the most common and dangerous type of attack that organisations face.
Indeed, Verizon’s Data Breach Digest found that 90% of all data breaches involve phishing.
But what makes these attacks so successful? An Osterman Research report suggests there are six causes of phishing.
1. Users are the weakest link
Even if most of us think we would be able to spot a phishing scam when we receive one, it only takes a momentary lapse in judgement for us to fall victim.
The panic one experience when they receive a message claiming that, for example, there has been suspicious activity on the recipient’s account will in many cases cause people to overlook signs that the message is malicious.
But by that point it’s too late, with the victim already clicking links, opening attachments and handing over their username and password.
The good news is this is a weakness that organisations and individuals have the power to address. All they have to do learn about the way phishing works and the clues to look out for.
Unfortunately, most users don’t receive the necessary training. Indeed, researchers have found that 52% of users receive training no more than twice per year, and 6% of users have never received security awareness training.
The result? IT departments are not at all confident in their users’ ability to recognise incoming threats, or in their organisation’s ability to stop phishing campaigns and related attacks.
2. Organisations aren’t doing enough
Staff awareness training isn’t the only step that organisations can take to better protect themselves from phishing scams.
The report highlights three key areas of weakness:
- Insufficient backup processes
In the event of a ransomware attack, most organisations have insufficient backup processes. This leaves them unable to quickly restore content on servers, user workstations and other endpoints to a healthy state.
- Lack of user testing
Most organisations do not have adequate procedures in place to test their users, leaving them unable to determine which staff members are the most susceptible to an attack.
Conducting a simulated phishing attack can help you establish whether your employees are vulnerable to phishing emails, enabling you to take immediate remedial action to improve your cyber security posture.
- BYOD security risks
Many organisations lack a BYOD (Bring Your Own Device) policy, meaning that, should a cyber criminal compromise an employee’s device, they will be able to gain access to sensitive data not only on that device but to leverage their access across the network.
3. Criminal organisations are well funded
The massive success that cyber criminals have had in recent years means they have plenty of funds to invest in scams.
As such, they can invest in technical resources to root out make their scams run more efficiently – whether that’s in the number of scams they can send, the authenticity of their bogus messages or the complexity of their campaigns.
It’s also enabled cyber criminals to branch out into new attack vectors. For example, there has been a significant increase in social media in recent years.
This is particularly dangerous, because most advice about phishing relates to email-based scams – or, occasionally, to phone scams (‘vishing’). People are therefore less likely to spot the techniques that fraudsters use on social media.
4. Cyber criminals are shifting their focus
The availability of stolen data on the dark web has decreased its commercial value.
Scammers can now buy payment card data on the dark web for as little as $9 (about £6.80), so there’s less profit to be had for those stealing and selling this information.
In response, cyber criminals have changed tactics, looking to make money through organisations directly thanks to ransomware attacks.
These types of attack are no more complicated for a cyber criminal to pull off, but the rewards can be much greater.
Although experts warn organisations not to pay ransoms, it’s certainly tempting to wire transfer a lump sum in the hopes that you’ll get your systems back online rather than face the headaches that come with incident response.
5. Phishing tools are low-cost and widespread
There are an increasing number of tools that are designed to help amateurs with little IT knowledge get into the cyber crime industry.
The availability of phishing kits and the rise of ransomware-as-a-service has resulted in an explosion of ransomware and other exploits coming from an ever growing network of amateur cyber criminals.
6. Malware is becoming more sophisticated
Over time, phishing and various types of malware have become more sophisticated.
The problems of phishing, spear-phishing, CEO fraud, business email compromise and ransomware are simply going to get worse without appropriate solutions and processes to defend against them.
Protect your organisation against phishing
Educated and informed employees are your first line of defence. Empower them to make better security decisions with our complete staff awareness e-learning suite.
A cost-effective way of managing all your staff awareness training in one place, the complete suite contains eight e-learning courses to help you transform your employees from threats to assets.
A version of this blog was originally published on 27 March 2017.