The threat from phishing is greater than ever before. Not only has the volume of phishing emails increased, threat actors are now using increasingly sophisticated methods to obtain login credentials, distribute malware, and gain access to networks to steal data and deploy ransomware.
Businesses have been forced to improve their defenses against phishing attacks or pay the price and the cost of a successful attack can be considerable. The 2017 Cost of a Data Breach Study by the Ponemon Institute/IBM Security revealed the average cost of a data breach is now $3.62 million.
Research conducted by PhishMe (Cofense) indicates 91% of all cyber attacks start with a phishing email. Protecting against phishing should, therefore, be a priority for businesses, but with funds often tight, what are the most effective anti-phishing defenses to deploy?
Before answering that question, it is first useful to define phishing attacks and explain why they work.
Why are Phishing Attacks Successful?
A phishing attack is an attempt to get an end user to take a particular action, such as installing malicious software or revealing sensitive information. While phishing can occur over the phone, via text message, the Internet, or social media networks, email is the most common attack vector.
Emails are carefully crafted using social engineering techniques to convince end users to open an email attachment or click on a hyperlink. The email attachments contain code that downloads malware, which can be rented cheaply on darknet marketplaces. Hyperlinks direct users to websites where users are presented with a familiar login page and are fooled into entering their credentials.
The attackers elicit fear to get users to take the desired action. They issue warnings about account closures and security threats. They take advantage of curiosity and send links to interesting news or send details of fake special offers and prizes. In short, they take advantage of human nature and gaps in security knowledge.
Phishing is cheap, the potential profits are substantial, and the attack method is highly effective. Figures from Wombat Security, published in its State of the Phish Report, suggest 76% of businesses have fallen victim to a phishing attack in the past 12 months. Verizon’s Data Breach Investigations Report suggests that 30% of phishing emails are opened, and 12% of end users click on hyperlinks in those messages.
What are the Most Effective Anti-Phishing Measures?
Technological controls are essential for reducing the volume of phishing emails that are delivered to inboxes, so an effective spam filter is now essential. Web filters are also valuable and can prevent end users from visiting malicious websites. Combined, they offer a quick and easy way for organizations to improve their security posture and are highly effective anti-phishing measures. Compared to the cost of mitigating a phishing attack, these controls are incredibly cheap by comparison – Typically they cost a few dollars a month per employee.
Since phishing emails target employees, it is now essential to ensure that employees have the necessary skills to be able to detect potentially malicious emails and take the appropriate action when such a message arrives in their inbox. If employees are not trained to be more security aware and are not taught the skills they need to allow them to detect phishing emails, they cannot be expected to respond appropriately when a threat arrives in their inbox.
Security awareness training companies offer a wealth of training content that has been proven to improve security awareness. There is also a wide range of free training content online, with government agencies and not-for-profit organizations offering businesses help with improving the security awareness of their employees. A little training goes a very long way. When combined with phishing simulation exercises, susceptibility to phishing attacks can be greatly reduced, often by as much as 95%.