2016 Delivered Major Insight Into Phishing Attacks.
What is a phishing attack? And why do users keep falling for it? Although most readers will probably know what it is, you’d be surprised to find that a lot don’t. And an even larger number of people don’t know how to deal with these attacks. Phishing is just what it sounds like. Hackers try to obtain credentials, credit card details and other important information by fishing around for willing prey. They send out things like emails where they try and get users to download attachments or follow links to fake sites. Not so surprisingly, people keep clicking.
According to the 2016 Verizon report, 9,576 phishing attacks occurred in 2015. And, according to PhishMe, 91% of cyber attacks that resulted in a data breach started with spear email phishing. So one thing is very clear: phishing is still a BIG PROBLEM!
Insight Into Phishing Attacks
Phishing attacks are often highly effective in a business setting because hackers have learned to prey on certain aspects of office life where they know they can manipulate. Employees have difficulty identifying phishing emails such as Office Communications and Finance. In these instances, high-level executives can sometimes be impersonated (known as CEO Fraud, and we’ve got a frightening video to share here on it) and they will use their status to manipulate employees.
Fear, stress, and the always present urgency being impressed upon all staff causes employees to make poor decisions that open the door for phishing attacks. And if it’s not fear/stress/urgency motivating employees, it’s curiosity. Users are curious, and they will click! Verizon reported that
It took a recipient an average of one minute 40 seconds to open the email [upon first receiving it] and three minutes 45 seconds to click on the malicious attachment.
What’s even more interesting is that there are still companies out there who are not training their employees to fight against these types of attacks.
Which Types Are Most Effective?
There are a number of different types of attacks that users and employers should be aware of. Phishme, in their Enterprise Phishing Susceptibility and Resiliency Report, outlined the following:
Click-only: An email that urges the recipient to click on the embedded link.
Data entry: An email with a link to a customized landing page that entices employees to enter sensitive information.
Attachment-based: Themes of this type train employees to recognize malicious attachments by sending emails with seemingly legitimate attachments in a variety of formats.
Double Barrel: A conversational phishing technique that utilizes two emails – one benign and one containing the malicious element.
Highly Personalized: Simulates advanced social engineering tactics by using specific known details about email recipients gathered from internal and public sources.
What Are They After?
It’s not only important to know what types of phishing attacks are out there, but to also be aware of what hackers are really after. Most commonly, hackers want to obtain credentials to business organizations. In their 2016 report, Verizon reported that out of 905 successful phishing attacks, 91% of those attacks were in pursuit of credentials.
63% of the companies involved stated that the breach involved stolen passwords. Credentials are highly sought after because control into a company allows hackers to gain control of financials. Although there are numerous other types of “things” hackers are after, it is almost always about obtaining one thing in the end: money.
What Can We Do?
Despite the fact that this information is readily available on the Internet, and companies are able to use it to their advantage, phishing attack’s success rates increased by 9% in 2016 from 2015. So what is the problem? Why are phishing attacks still successful? Why do your users keep falling for it?
Simply, they are not trained to. Many businesses do not train employees. Other businesses do provide employees guidelines, but fail to understand the reasons behind why their employees keep clicking. Even more, most companies do not put their employees to the test by sending out fake phishing emails to test their knowledge, understand their actions, and help them learn from their mistakes. Too many users do not possess the knowledge to make better decisions.
This type of security must be approached from the ground up. The employees are what protects or jeopardizes a business as a whole. Their actions affect the life and wellness of the organization. So if you don’t start putting some TLC into your employees, your business will always keep suffering.
And, to drive the point home, technology is always changing. Hackers are always coming up with new and innovative ways to steal data. And because of this, even if a company has trained its employees, as time goes on, they will need to be educated again. It is a learning process that must always continue.
At zbrella Tech, we’ve got awesome, amazingly brilliant tech geniuses who teach, train, and test users all around the country to learn the rules of security tech etiquette. We’re responsible for increasing company cyber safety by over 90%. Looking to train your employees against the attacks above? Give us a call, we’ll talk to you in person about a custom plan. 718.355.9155